Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«268 »
  • Post
  • Reply
Martytoof
Feb 25, 2003

 
 


Oops was I supposed to IP restrict phpmyadmin.twitter.com??

Adbot
ADBOT LOVES YOU

xtal
Jan 9, 2011



Well that's boring.

Cup Runneth Over
Aug 8, 2009

She said life's
too short to worry
She said life's
too long to wait
It's too short not
to love everybody
Life's too long to hate





quote:

Two former Twitter employees previously abused their access to spy on users for the Saudi regime, according to the Justice Department.

Methylethylaldehyde
Oct 23, 2004

BAKA BAKA



When you can do a select * from mytables where userID is like "enemey of the state", there isn't much you can't get away with.

RFC2324
Jun 7, 2012

Http 418


xtal posted:

We should bet on the outcome. Send your stake to the pool at bxysksjcjwwngodbauxivneoeidm

I put $50 on it.

E: poo poo, shoulda refreshed

CommieGIR
Aug 22, 2006

If Godzilla can do it, you know I can deliver!

Pillbug

What we all kind of expected

https://twitter.com/har00ga/status/...6706247681?s=19

Cup Runneth Over
Aug 8, 2009

She said life's
too short to worry
She said life's
too long to wait
It's too short not
to love everybody
Life's too long to hate







https://betanews.com/2020/07/15/ufo-vpn-data-leak/

Absurd Alhazred
Mar 27, 2010

I'm the babyliberal, gotta love me!


https://twitter.com/AlexJamesFitz/s...485734644482049

CommieGIR
Aug 22, 2006

If Godzilla can do it, you know I can deliver!

Pillbug

Least privileged access? Not in my social network management

RFC2324
Jun 7, 2012

Http 418


CommieGIR posted:

Least privileged access? Not in my social network management

more than one org I have been in ended up giving the most access to the lowest ranking people, due to breadth of their duties and laziness of the implementers. They may not do much with it, but its common for them to have, say, root access so that they can fix user accounts in LDAP just because someone didn't know how to do permissions based on group for the access, or felt it was overkill.

I know one fortune 500 company I worked at you had to give up a bunch of access when you got promoted from tier 2(tasked with doing all kinds of crap across the whole org) to tier 3(technical ownership of a silo) so this is likely pretty common.

spankmeister
Jun 15, 2008








Slippery Tilde


Hey let's be fair and real, this poo poo is hard. Fine grained authorization is very difficult problem, not only technically (which is the easy part) but moreso organizationally. It's very hard to keep track of who needs to do what exactly, and to keep that information up to date.

Docjowles
Apr 9, 2009



Good to see nothing was learned from the Uber fiasco where the entire company had (still has?) access to tools that could find and track anybody’s location in real time. And a culture of using it inappropriately and bragging about it.


http://valleywag.gawker.com/uber-al...as-a-1642197313 and so on

Bonzo
Mar 11, 2004

Just like Mama used to make it!


Dinosaur Gum

what do you think RIM/blackberry employees used to do back in the day?

Schadenboner
Aug 15, 2011

I MEAN, TURN OFF YOURE MONITOR, MIGTH EXPLAIN YOUR BAD POSTS, HOPE THIS HELPS?!

Bonzo posted:

what do you think RIM/blackberry employees used to do back in the day?

Drink and pronounce words Canadianish?

CLAM DOWN
Feb 13, 2007


RICKARUS

It's Moot baby!




spankmeister posted:

Hey let's be fair and real, this poo poo is hard. Fine grained authorization is very difficult problem, not only technically (which is the easy part) but moreso organizationally. It's very hard to keep track of who needs to do what exactly, and to keep that information up to date.

Yeah, every single org out there has issues with Least Privilege access, and I guarantee you that every org has lower level employees with elevated rights that they shouldn't have. Twitter, Uber, MS, your own company, etc.

Defenestrategy
Oct 24, 2010

Worst decision I ever made.


CLAM DOWN posted:

Yeah, every single org out there has issues with Least Privilege access, and I guarantee you that every org has lower level employees with elevated rights that they shouldn't have. Twitter, Uber, MS, your own company, etc.

Nope, sorry Clam, my company is perfect in its privilege access.

I have access to do and see everything, and everyone else doesn't

Bonzo
Mar 11, 2004

Just like Mama used to make it!


Dinosaur Gum

CLAM DOWN posted:

Yeah, every single org out there has issues with Least Privilege access, and I guarantee you that every org has lower level employees with elevated rights that they shouldn't have. Twitter, Uber, MS, your own company, etc.

One issue I'm battling now is that our consultants are allowed to log in with a SHARED WINDOWS ACCOUNT so when an undocumented change is added and break poo poo, all we can see this shared account logging into Windows. Of no one at all made the change when questioned.

Yes I know it could be audited if I really wanted to but A) it's not my department, not my employees to discipline and B) you can only complain to upper-upper-management so much before you start to become annoying.

Bonzo fucked around with this message at 17:34 on Jul 24, 2020

CommieGIR
Aug 22, 2006

If Godzilla can do it, you know I can deliver!

Pillbug

RFC2324 posted:

more than one org I have been in ended up giving the most access to the lowest ranking people, due to breadth of their duties and laziness of the implementers. They may not do much with it, but its common for them to have, say, root access so that they can fix user accounts in LDAP just because someone didn't know how to do permissions based on group for the access, or felt it was overkill.

I know one fortune 500 company I worked at you had to give up a bunch of access when you got promoted from tier 2(tasked with doing all kinds of crap across the whole org) to tier 3(technical ownership of a silo) so this is likely pretty common.

Yeah this is terrifying to me. Its well worth it to get group permissions worked out rather than giving blanket access like that.

Bonzo
Mar 11, 2004

Just like Mama used to make it!


Dinosaur Gum

CommieGIR posted:

Yeah this is terrifying to me. Its well worth it to get group permissions worked out rather than giving blanket access like that.

I work in a Windows shop and I hear "Just add the EVERYONE user and give it full perms" wayyyyyy too often.

Internet Explorer
Jun 1, 2005





Oven Wrangler

Bonzo posted:

I work in a Windows shop and I hear "Just add the EVERYONE user and give it full perms" wayyyyyy too often.

send them this

Garmin services and production go down after ransomware attack

Sickening
Jul 15, 2007

BLack Summer was the Best Summer


They also lmao, the fishing community appears to be up in arms about this too since they make fishing electronics. Amazing stuff.

Sir Bobert Fishbone
Jan 16, 2006

Beebort


Wonder if that affects the InReach products. I can imagine someone in the backcountry with an emergency situation might be kind of grumpy if their lifeline is unavailable.

Schadenboner
Aug 15, 2011

I MEAN, TURN OFF YOURE MONITOR, MIGTH EXPLAIN YOUR BAD POSTS, HOPE THIS HELPS?!

Sir Bobert Fishbone posted:

I can imagine someone in the backcountry with an emergency situation might be kind of grumpy if their lifeline is unavailable.

Probably not for very long, though?

Last Chance
Dec 31, 2004



Schadenboner posted:

Probably not for very long, though?

Depends on how much water or urine they have access to

Chimp_On_Stilts
Aug 31, 2004
Holy Hell.

A talk on Sandworm given by Google's Threat Analysis Group at last year's CYBERWARCON was posted to YouTube today:

https://www.youtube.com/watch?v=xoNSbm1aX_w

This is the group from Andy Greenberg's book of the same name.

xtal
Jan 9, 2011



CommieGIR posted:

Least privileged access? Not in my social network management

Not anywhere except very specific industries. Every company I've worked at, which includes some of the largest in the world, has let me access or impersonate every customer. One of them had logging, but since I built the logging code, it couldn't stop me very much.

Sort of like physical access to a machine is root, developers are always going to be able to access data. You might have hidden it from the internal admin page with access controls. But the developer can still go query the database. Or if they can't, they can ship code changes that result in those queries.

It should be assumed that when you host information with a company, everyone at that company has access to all the information. This is why we've been preaching decentralization for the last few decades.

The idea that any employee can read all your data is challenging to laypeople. They can either go full FOSS or build up some imaginary scenario about how their data is protected by access controls. Even though those do not exist. The only access control is when you control what you give them.

BTW, I also worked for a telco, and those thousands of minimum wage employees can look up the phone call records, change SIMs, of any person they want as well.

xtal fucked around with this message at 20:34 on Jul 24, 2020

Combat Pretzel
Jun 23, 2004

No, seriously... what kurds?!

Anyone here using Zerotier? Opinions? Toying with alternatives to Wireguard that don't rely on DDNS.

Subjunctive
Sep 12, 2006

careful now


Cybernetic Crumb

Checked out tailscale?

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE


We use zerotier, I do not have to admin it at all, but it seems to work just fine from what I can tell. Our architect evaluated quite a few products prior to implementing which was at least 2 years ago, maybe more and chose it so must not be too bad to deal with.

I just use it so I can connect to a TS without using a VPN; I believe we are still at the free tier level.

Combat Pretzel
Jun 23, 2004

No, seriously... what kurds?!

Yeah, I'm just giving it a test-run. Works nicely, but the UI is pretty meh.

Subjunctive posted:

Checked out tailscale?
Ooh, thanks for pointing that one out. --edit: drat, no Home Assistant add-on for it. I have to see how to get it to work over there. --edit: Hmm, it also uses the CGNAT address space, which is an issue, because my mobile gets put in CGNAT.

Combat Pretzel fucked around with this message at 21:51 on Jul 24, 2020

Phosphine
May 30, 2011




CommieGIR posted:

Yeah this is terrifying to me. Its well worth it to get group permissions worked out rather than giving blanket access like that.

At my old job I had administrator access to Jira, both the software and the server it ran on. Jira had write access to LDAP. Through the Jira group management, I could add any LDAP group to any account, and it would automatically sync back to the controller, essentially granting me admin access to any service which used an LDAP group to grant it, with no trace since I also controlled the machine the logs were on. Services that relied on LDAP: literally all of them. Pretty sure I could've messed with payroll.

They're bankrupt now, unrelatedly.

Biowarfare
Nov 8, 2010

I JUST WISH THIS WAS A PONY SO I COULD JERK IT WHILE I PLAY WOW

Combat Pretzel posted:

Yeah, I'm just giving it a test-run. Works nicely, but the UI is pretty meh.

Ooh, thanks for pointing that one out. --edit: drat, no Home Assistant add-on for it. I have to see how to get it to work over there. --edit: Hmm, it also uses the CGNAT address space, which is an issue, because my mobile gets put in CGNAT.

Make your own network on my.zerotier and pick your own address space. It's self service/self assigend.

Combat Pretzel
Jun 23, 2004

No, seriously... what kurds?!

Biowarfare posted:

Make your own network on my.zerotier and pick your own address space. It's self service/self assigend.
In Tailscale, not Zerotier. I have latter working.

Harik
Sep 9, 2001

From the hard streets of Moscow
First dog to touch the stars




Plaster Town Cop

I'm grumpy that apple has locked TLS to internet-connected servers listening on TCP with a valid cert chain to a trusted root.

Used to be able to use it with low-level read/write callbacks on a non-TCP transport but they say that API is not for use with new apps and should be phased out of existing apps.

I just wanted to talk to non-network connected devices that don't speak TCP, and pin their cert with verification during the setup process.

https://doc.libsodium.org/secret-ke...hy/secretstream looks to have better properties for the domain I'm working in (individual messages on a radio network) but secretstream doesn't have great binding support yet so that should be many shades of fun and exciting.

CyberPingu
Sep 15, 2013

Ready To Ruck!





Daily reminder that it doesn't matter how good your security is. Your staff are always the weakest link.

Education, zero trust and trying to get across the point that security is everyone's responsibility.

Do the fundamentals right before chucking loads of SaaS solutions at it.

D. Ebdrup
Mar 13, 2009



CyberPingu posted:

Daily reminder that it doesn't matter how good your security is. Your staff are always the weakest link.

Education, zero trust and trying to get across the point that security is everyone's responsibility.

Do the fundamentals right before chucking loads of SaaS solutions at it.
Implementing a two-person-rule for every administrative change above a certain threshold, just like banks have had for decades upon decades, whereby any withdrawl above a certain amount has to be confirmed by a separate employee out back.
Also, that gets the added benefit that huge companies like Amazon don't blame their biggest downtime incident on a single employee, when it's the fault of the entire team including management that it could've happened in the first place.

But no, devops gotta devops all over everything.

CyberPingu
Sep 15, 2013

Ready To Ruck!





D. Ebdrup posted:

Implementing a two-person-rule for every administrative change above a certain threshold, just like banks have had for decades upon decades, whereby any withdrawl above a certain amount has to be confirmed by a separate employee out back.
Also, that gets the added benefit that huge companies like Amazon don't blame their biggest downtime incident on a single employee, when it's the fault of the entire team including management that it could've happened in the first place.

But no, devops gotta devops all over everything.

Yep, every branch should require a PR from someone else before it can be merged.

evil_bunnY
Apr 2, 2003



https://twitter.com/ortegaalfredo/s...3526409216?s=21


Bonzo posted:

I work in a Windows shop and I hear "Just add the EVERYONE user and give it full perms" wayyyyyy too often.
People who say we’ll run out of low hanging fruits are so funny.

Defenestrategy
Oct 24, 2010

Worst decision I ever made.


Combat Pretzel posted:

Anyone here using Zerotier? Opinions? Toying with alternatives to Wireguard that don't rely on DDNS.

Currently using Zerotier to network all of our compute. I haven't really had a problem beyond learning how to do the initial setup. The biggest annoyance is remembering to prune network entries when we shut down end points so we don't accidentally fill up our allowance of entries.

Adbot
ADBOT LOVES YOU

RFC2324
Jun 7, 2012

Http 418


CommieGIR posted:

Yeah this is terrifying to me. Its well worth it to get group permissions worked out rather than giving blanket access like that.

To be kinda fair to that f500, quite a few of the systems in place predated the concept of group permission. They had been updated so the systems in question supported it in theory, but refactoring access to take advantage of that just never ended up happening, and eventually it fell back into "it's always been that way"

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«268 »