Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«1671 »
  • Post
  • Reply
Sickening
Jul 15, 2007

BLack Summer was the Best Summer

Zero VGS posted:

Nah, I use security groups in AWS so that only our whitelisted office IPs can communicate with the PBX.

Dear lord almighty.

Adbot
ADBOT LOVES YOU

The Fool
Oct 16, 2003



I donít have the words

CLAM DOWN
Feb 13, 2007


RICKARUS

It's Moot baby!






Zero VGS posted:

Nah, I use security groups in AWS so that only our whitelisted office IPs can communicate with the PBX.

Hahahaha

Zero VGS
Aug 16, 2002
"It has gunfights and shit!"


Lipstick Apathy

What amazing exploit are you guys coming up with for a server that can't hear from anything except the physical desk phones in our physical offices?

The Fool
Oct 16, 2003



I can guarantee that you are making a bad assumption there.

GnarlyCharlie4u
Sep 23, 2007

I have an unhealthy obsession with motorcycles.

Proof


wolrah posted:

Uh, there have definitely been some important patches in that time period that you should have which require a reboot to install.

Whoo boy there sure have been.

Bypass-auth remote code execution fix was only like 6 or 7 months ago even.

Submarine Sandpaper
May 27, 2007



My boss would agree if that helps. "All security is network based"

Sickening
Jul 15, 2007

BLack Summer was the Best Summer

I don't think a PBX would be very useful if it can only talk to the phones in your office and nothing else. I feel like there is an important step missing there in the network considerations.

The good news is that unpatched PBX's are one of the highest demand systems out there. They make good money.

Zero VGS
Aug 16, 2002
"It has gunfights and shit!"


Lipstick Apathy

GnarlyCharlie4u posted:

Whoo boy there sure have been.

Bypass-auth remote code execution fix was only like 6 or 7 months ago even.

I do remember one years back where you could actually hijack the IVR to make a call at the company's expense, so there was that one. Anyway no one is going to make it back into the office to use these phones for at least a year.

Sickening posted:

I don't think a PBX would be very useful if it can only talk to the phones in your office and nothing else. I feel like there is an important step missing there in the network considerations.

The good news is that unpatched PBX's are one of the highest demand systems out there. They make good money.

Yeah and outbound to the SIP trunk (which is in the same AWS datacenter). I have to manually top up the minutes so there's not much monetary exposure.

Internet Explorer
Jun 1, 2005





Oven Wrangler

Zero VGS posted:

I do remember one years back where you could actually hijack the IVR to make a call at the company's expense, so there was that one. Anyway no one is going to make it back into the office to use these phones for at least a year.

Seems like a great time to patch...?

GnarlyCharlie4u
Sep 23, 2007

I have an unhealthy obsession with motorcycles.

Proof


Zero VGS posted:

What amazing exploit are you guys coming up with for a server that can't hear from anything except the physical desk phones in our physical offices?

You're putting a whole lot of faith in AWS there.

That point aside, if anything on your network is compromised, it's not terribly difficult for anyone to pivot from there and take complete control of your very vulnerable PBX.

Also, how does your PBX make outbound calls if it can't reach the internet?

E: beaten. ^^^

Zero VGS
Aug 16, 2002
"It has gunfights and shit!"


Lipstick Apathy

Internet Explorer posted:

Seems like a great time to patch...?

That's what I was thinking but I kinda don't wanna give you nerds the satisfaction.

Internet Explorer
Jun 1, 2005





Oven Wrangler

Zero VGS posted:

That's what I was thinking but I kinda don't wanna give you nerds the satisfaction.

You don't have to worry, our opinions on how to do IT couldn't be further apart. Shine on you crazy diamond.

[Edit: Just to be clear, "our" being mine and Zero VGS. Not trying to rope anyone else into this statement.]

Internet Explorer fucked around with this message at 15:53 on May 22, 2020

The Fool
Oct 16, 2003



Zero VGS posted:

That's what I was thinking but I kinda don't wanna give you nerds the satisfaction.

loving lol

stevewm
May 10, 2005


Grandstream recently had a issue where the management login screen for some of their devices had a SQL injection vulnerability.

Their forums filled up with people who had their systems hacked shortly before the problem was announced.

It is amazing the amount of people who will expose such systems to the internet without any type of firewall. Why the hell would you allow the management interface be publicly accessible!?

Sickening
Jul 15, 2007

BLack Summer was the Best Summer

GnarlyCharlie4u posted:

You're putting a whole lot of faith in AWS there.

Trusting AWS on their security controls is actually well founded. Misusing those controls isn't their fault.

Sickening
Jul 15, 2007

BLack Summer was the Best Summer

Zero VGS posted:


Yeah and outbound to the SIP trunk (which is in the same AWS datacenter). I have to manually top up the minutes so there's not much monetary exposure.

You are putting a lot of blind trust in those networks. You are underestimating the level of exposure you put those systems into. Not patching the PBX is purposeful neglect.

CPColin
Sep 9, 2003

Big ol' smile.

Grimey Drawer

Speaking of networking, the network admins insisted I set up a host-based firewall on a new server, despite my weak protest that the campus-wide firewall was sufficient, as it was already restricting traffic to our building's subnet. They said, "Well what if somebody compromises one of your office computers and then uses it to attack your new server?"

Ok, guys, I'll set up the host-based firewall that restricts traffic to the same subnet that the campus-wide firewall does, in case somebody finds their way onto that subnet and is therefore allowed through both firewalls anyway! Whatever.

Sickening
Jul 15, 2007

BLack Summer was the Best Summer

CPColin posted:

Speaking of networking, the network admins insisted I set up a host-based firewall on a new server, despite my weak protest that the campus-wide firewall was sufficient, as it was already restricting traffic to our building's subnet. They said, "Well what if somebody compromises one of your office computers and then uses it to attack your new server?"

Ok, guys, I'll set up the host-based firewall that restricts traffic to the same subnet that the campus-wide firewall does, in case somebody finds their way onto that subnet and is therefore allowed through both firewalls anyway! Whatever.

There is some merit to what your network admin is asking. Its a really good habit to lock down remote access/management of your servers to only your bastions. Depending on how your network is setup, sometimes host based firewalls are part of that locking down process. I usually would only advise this in instances where you can centrally manage them, like windows firewall for example.

Does your buildings subnet only have servers that should be the same logical network? Or is it workstations, servers, printers, and everything else as I would expect on a campus network vlan/subnet?

CPColin
Sep 9, 2003

Big ol' smile.

Grimey Drawer

Sickening posted:


Does your buildings subnet only have servers that should be the same logical network? Or is it workstations, servers, printers, and everything else as I would expect on a campus network vlan/subnet?

It's got everything on it. What the netadmins are asking is fine, it's just the justification that's silly, because anybody who's already gotten through the campus-wide firewall is obviously also going to get through a host-based firewall that has the same rules.

uhhhhahhhhohahhh
Oct 9, 2012


I know we should be using them but everyone acted like I'd failed them when I said the only way they could access the firewall management was through a terminal server on the VPN instead of directly from their laptops.

Internet Explorer
Jun 1, 2005





Oven Wrangler

CPColin posted:

It's got everything on it. What the netadmins are asking is fine, it's just the justification that's silly, because anybody who's already gotten through the campus-wide firewall is obviously also going to get through a host-based firewall that has the same rules.

This isn't true and is a fairly outdated mindset. Individual servers and endpoints should have their own firewalls. Expecting the perimeter firewall to save you completely is not good. Read up on Zero Trust Architecture, Microsegmentation, etc. But it has been the case for a long, long time that your internal devices should have firewalls. Like, Windows XP SP2 days.

Folks, good security is like an onion, it has layers.

Internet Explorer
Jun 1, 2005





Oven Wrangler

Also, I know everyone hates backups and they're never perfect but I absolutely cannot stand awful backup setups. I feel like every place I've ever walked into has had garbage backups and redoing it every single time is always so exhausting. How do these people sleep at night?

Relatedly, Microsoft Azure Backup Server (renamed System Center Data Protection Manager) sucks.

Sickening
Jul 15, 2007

BLack Summer was the Best Summer

CPColin posted:

It's got everything on it.

Well in that case then you have to protect your servers for things already in your perimeter. Having everything in the same subnet means that you have a lot of different ways systems can be compromised. The justification is pretty sound

CPColin posted:

What the netadmins are asking is fine, it's just the justification that's silly, because anybody who's already gotten through the campus-wide firewall is obviously also going to get through a host-based firewall that has the same rules.

That isn't really true.

Internet Explorer
Jun 1, 2005





Oven Wrangler

Seems like as good a time as any to plug the InfoSec thread. Even if your job isn't "InfoSec," you should be keeping up as someone in the IT field.

https://forums.somethingawful.com/s...hreadid=3750534

Scientist Al Gore
May 20, 2006
Probation
Can't post for 5 days!


Internet Explorer posted:

Also, I know everyone hates backups and they're never perfect but I absolutely cannot stand awful backup setups. I feel like every place I've ever walked into has had garbage backups and redoing it every single time is always so exhausting. How do these people sleep at night?

Relatedly, Microsoft Azure Backup Server (renamed System Center Data Protection Manager) sucks.

My dream is that one day Microsoft just buys out Veeam. That would solve so many problems.

The Fool
Oct 16, 2003



Scientist Al Gore posted:

My dream is that one day Microsoft just buys out Veeam. That would solve so many problems.

I don't think that would solve Veeam's support issues.

Scientist Al Gore
May 20, 2006
Probation
Can't post for 5 days!


The Fool posted:

I don't think that would solve Veeam's support issues.

What kind of support issues have you had? I haven't work with them in a while but I thought their products were great and worked. The same cannot be said for other backup solutions.

jaegerx
Sep 10, 2012

Maybe this post will get me on your ignore list!

Grimey Drawer

Interviewing is the absolute worst. Code interviews are the worst. Reverse a string in place. gently caress you. Iíll shell to the os and let it do it. gently caress your rules.

Methanar
Sep 26, 2013



Code interviews are legit garbage. I can't believe anybody actually thinks they're a good enough idea to keep doing them after the first.

Mini take home assignments you have a week to do are fine. I'll never do a live code interview again.

jaegerx
Sep 10, 2012

Maybe this post will get me on your ignore list!

Grimey Drawer

Fizz buzz man. You can call it whatever you want but itís still fizz buzz. Iím over this. Iím just gonna live on the dole and hope bernie wins somehow.

12 rats tied together
Sep 7, 2006



It's reasonable to expect some level of like, socket programming, for an SRE role where you typically deal with distributed systems or things that talk over a network. You should know that, for example, by default you cant bind to an IP address that isn't configured on your node without setting whatever kernel flag allows nonlocal binds.

You should know udp is connectionless, probably something about nf_conntrack or whatever the windows version of that is. For someone with k8s on their resume I would expect a cursory explanation of the iptables insanity going on inside your typical k8s cluster, or at least some indicator that the CNI exists. If you have a language on your resume you should know when to use a set/hashmap/whatever vs when to use an array or list, and should be able to demonstrate some basic competency in parsing nested data structures in whatever language.

The softball AWS threw at me a while back was writing an extremely simple firewall rule evaluator as a live coding exercise, I thought that was fantastic because it starts off with a bunch of really obvious really bad mistakes you can make, and then you can move on into optimizations like not checking things you've already checked due to subnet masks, and then maybe some sorting bullshit or whatever.

Reversing a string is just lazy, and filters for the exact kind of person you don't want to hire into an SRE role unless you really want to hear about someone re-discovering what source NAT does to IP addresses every 3 months, forever.

Scientist Al Gore
May 20, 2006
Probation
Can't post for 5 days!


Unpopular opinion,

If you can't writeboard pseudcode, write a small script during an interview with a projector while I'm watching or walk me through how this PowerShell Loop works then I'm going to have a hard time justifying hiring you no matter how great your resume looks.

KillHour
Oct 28, 2007




Scientist Al Gore posted:

Unpopular opinion,

If you can't writeboard pseudcode, write a small script during an interview with a projector while I'm watching or walk me through how this PowerShell Loop works then I'm going to have a hard time justifying hiring you no matter how great your resume looks.

I have a hard time justifying working for someone who needs to put me on the spot and demand I write code without Google. Also, someone who can't spell whiteboard.

jaegerx
Sep 10, 2012

Maybe this post will get me on your ignore list!

Grimey Drawer

KillHour posted:

I have a hard time justifying working for someone who needs to put me on the spot and demand I write code without Google. Also, someone who can't spell whiteboard.

I love you

The Fool
Oct 16, 2003



I am literally incapable of writing code without some sort of autocomplete/intellisense

Sickening
Jul 15, 2007

BLack Summer was the Best Summer

The Fool posted:

I am literally incapable of writing code without some sort of autocomplete/intellisense

Amen.

Like, I canít even loving spell anymore. Auto complete takes care of all of that for me. Google takes care of the rest. Itís time to live in the future.

Inspector_666
Oct 7, 2003

benny with the good hair


In a similar vein, I was very self-conscious about my Powershell abilities because when I need to do reporting I generally just filter left as much as I can and dump poo poo into a CSV so I can manipulate it in Excel but you know what? gently caress it, it's way faster for me so if people don't like it they can gently caress off.

Sirotan
Oct 17, 2006

Sirotan is a seal.



Ham Wrangler

Internet Explorer posted:

Also, I know everyone hates backups and they're never perfect but I absolutely cannot stand awful backup setups. I feel like every place I've ever walked into has had garbage backups and redoing it every single time is always so exhausting. How do these people sleep at night?

Relatedly, Microsoft Azure Backup Server (renamed System Center Data Protection Manager) sucks.

I had to have a come to Jesus meeting with my boss this week after I discovered the state of backups for my team's servers and I'm pretty sure nothing will change unless I decide to become the backup czar and ughhhhhhh I know exactly what you mean.

Adbot
ADBOT LOVES YOU

Methanar
Sep 26, 2013



I forget how to type entirely when somebody is looking over my shoulder for the explicit purpose of judging me.

Maybe I'm just bad and actually an unhirable unskilled piece of poo poo but Okta wanted me to do some situation where I made and then pretended a nested dictionary was a database and update some subset of 'records' with a new pattern to simulate a schema update and a few other bullet points. Couldn't do it on the spot as I'm being stared at with a clock in the corner of the screen.

I probably could have done it just fine in the expected amount of time if I were doing it on my own.

Somebody else wanted me to instrument a prebuilt toy golang webapp with the prometheus library to get timeseries metrics for tracking response times or whatever in a take home project. That I'm fine with.

Live coding exercises are extremely dumb. If anybody ever tries to watch me work I'll tell them to stop looking at me so I can actually do it.

Methanar fucked around with this message at 00:15 on May 23, 2020

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«1671 »