Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
namlosh
Feb 11, 2014

I blew up


Mr. Crow posted:



Also who pays for a password manager lmbo install syncthing and keypass, done. self hosted auto syncing cloud.

This... KeePassXC on Mac, KeepAss on windows, KepAssium on iPhone

E: Beaten, encrypted style...
I will say that I keep a copy on OneDrive which syncs pretty well, buuuuut I try to only edit the file and upload on one computer

namlosh fucked around with this message at 16:15 on Feb 17, 2021

Adbot
ADBOT LOVES YOU

BlankSystemDaemon
Mar 13, 2009

System Access Node Not Found



CommieGIR posted:

Don't kink shame.

And it's a total complete coincidence that both CommieGIR and I post in the digital packrats thread.

Ojjeorago
Sep 21, 2008

I had a dream, too. It wasn't pleasant, though ... I dreamt I was a moron...


Gary’s Answer

Mr. Crow posted:



Also who pays for a password manager lmbo install syncthing and keypass, done. self hosted auto syncing cloud.


You can selfhost Bitwarden too, pretty easy to throw on a Raspberry Pi or something.

Rufus Ping
Dec 27, 2006





I'm a Friend of Rodney Nano


Just buy 1password and it all magically "just works" with no messing about required. I say this as someone who is very reluctant to pay for software and with a high tolerance for janitoring stuff

F4rt5
May 20, 2006



I've used all of them extensively and now it's Bitwarden for life. Like to pay for your pw manager? 5$/yr if you want to - but you don't have to. Afraid of their cloud security? Host your own server. Afraid of the app's security? It's open source, compile it yourself. If you are a masochist. Otherwise rely on others' eyes to confirm it's cool and good and not stealing / pwning your gibson. User friendly like 1password? Yup. Available on all platforms? Yup.

Hand's down the best.

F4rt5 fucked around with this message at 18:25 on Feb 17, 2021

BlankSystemDaemon
Mar 13, 2009

System Access Node Not Found



Turns out we're all different and have different threat models, worries, and needs.

The Iron Rose
May 12, 2012

Cat Army


CommieGIR posted:

Don't kink shame.

your threat model is not my threat model, but your threat model is OK

The Fool
Oct 16, 2003



Iím a big fan of 1password but bitwarden is definitely a good choice too.

The Fool
Oct 16, 2003



The Iron Rose posted:

your threat model is not my threat model, but your threat model is OK

Iím a huge fan of this saying

CommieGIR
Aug 22, 2006

If Godzilla can do it, you know I can deliver!


Pillbug

The Iron Rose posted:

your threat model is not my threat model, but your threat model is OK

I feel seen.

Strawberry Pyramid
Dec 12, 2020


KeepassXC doesn't support plugins, so that's a dealbreaker for me.

OG Keepass, Keepass2Android, and Google Drive provide literally all I need. No way to do shared accounts, but I have no accounts that should be accessed by anyone other than me anyway.

Subjunctive
Sep 12, 2006

sparkle and shine



BlankSystemDaemon posted:

Turns out we're all different and have different threat models, worries, and needs.

Whatís your threat model?

SpaceSDoorGunner
May 4, 2018




The Iron Rose posted:

your threat model is not my threat model, but your threat model is OK

Just lol if you donít make your own hardware back door free phone from silicon and copper that you mined in your backyard

Ynglaur
Oct 9, 2013



SpaceSDoorGunner posted:

Just lol if you donít make your own hardware back door free phone from silicon and copper that you mined in your backyard

But how do you securely source your rare earths, hmm?

Defenestrategy
Oct 24, 2010

Worst decision I ever made.


Catalytic converters stolen from junk yards

SpaceSDoorGunner
May 4, 2018




Ynglaur posted:

But how do you securely source your rare earths, hmm?

Get a really big backyard.

Boner Wad
Nov 16, 2003


Space Gopher posted:

If you don't like storing your passwords on cloud services I've got some real bad news about Dropbox

Oh my god what have I done.

BlankSystemDaemon
Mar 13, 2009

System Access Node Not Found



Subjunctive posted:

Whatís your threat model?
gently caress if I know anymore, I just touch computers.

RFC2324
Jun 7, 2012

http 418



SpaceSDoorGunner posted:

Get a really big backyard.

Just dig sideways

Mantle
May 15, 2004


Ever since I was a kid I've fantasized about hacking into systems and I recently learned about Hack The Box. I found the exercise to get the invite code fun and it's exciting to be poking around the lab boxes.

However it seems to pay much less than my current software dev role, despite seemingly being more difficult. Is it a career really only for passionate people?

CyberPingu
Sep 15, 2013



Mantle posted:

Ever since I was a kid I've fantasized about hacking into systems and I recently learned about Hack The Box. I found the exercise to get the invite code fun and it's exciting to be poking around the lab boxes.

However it seems to pay much less than my current software dev role, despite seemingly being more difficult. Is it a career really only for passionate people?

Depends on what country you live in. Also depends on the job role. Technically you could use offensive skills in a defensive "blue team" role that could net you a security engineer role that is comparable with dev salaries and seems to have a higher ceiling, this is the route I'm going down currently

CLAM DOWN
Feb 13, 2007


RICKARUS

It's Moot baby!




Mantle posted:

Is it a career really only for passionate people?

I personally don't think you can succeed or be of any quality in security unless you are passionate about it. So, in my opinion, yes.

BaseballPCHiker
Jan 16, 2006



CLAM DOWN posted:

I personally don't think you can succeed or be of any quality in security unless you are passionate about it. So, in my opinion, yes.

Personally I disagree. You can be good at your job and not passionate about it. I have a few people on my SOC team that have just had decades of experience from enterprise networking or server management they can lean on in addition to their security skills and be excellent. Those same people are more than happy to just punch in and out at the end of the day without caring deeply about the field.

What you do need to be passionate about is being good at your job regardless of what it is.

evil_bunnY
Apr 2, 2003



Yeah what you need is a lack of don't-give-a-poo poo-itis.

The Iron Rose
May 12, 2012

Cat Army


What you need is people and political skills because all the fancy security engineering in the world wonít help you if you canít break through bureaucratic inertia to institute change.

Martytoof
Feb 25, 2003







When you fall out of love with infosec you pivot to governance and audit.

This is the way.

DrDork
Dec 29, 2003
commanding officer of the Army of Dorkness

CLAM DOWN posted:

I personally don't think you can succeed or be of any quality in security unless you are passionate about it. So, in my opinion, yes.

In Security, like in most things, it's 10% of the people who are really passionate and pushing the envelope, and 90% of people who don't wake up every morning overjoyed at the thought of going to work to do <whatever>. But it's the 90% that are doing most of the actual work to implement the vision of the 10%. Well, assuming you're at a company large enough to actually have a team, rather than just have one or two guys as "the security (and probably several other things) people"--if you're the only guy, then yeah, you hopefully care a whole lot because no one else will.

evil_bunnY posted:

Yeah what you need is a lack of don't-give-a-poo poo-itis.

Yeah, more this. If you like it enough to be interested enough that your eyes don't glaze over and you mentally check out when dealing with it, you could still be a legitimate asset to a team.

In terms of "is it something that only passionate people do because there's no money in it," no--there's certainly money to be made. Often it's in terms of working for a pen-testing firm or other entity / team doing security assessments, though. Whether that pays more than your current role depends on a lot of things, not the least of which will be the reality that you've probably got a bunch of years of experience and proficiency as a SDE (and are paid accordingly), whereas moving over to a pen-testing role or similar you'd be starting back towards the bottom of the ladder (and paid accordingly).

People who are doing it as bug-bounty dudes, independent security researchers, or similar are usually more on the passionate side, though.

Diva Cupcake
Aug 15, 2005



If you're emotionally invested in your company's security posture, you're on a one-way track to alcoholism and benzos.

Care enough to find motivation to do good work. Have enough "don't care" to not overload your brain with anxiety and stress.

Ynglaur
Oct 9, 2013



BaseballPCHiker posted:

Personally I disagree. You can be good at your job and not passionate about it. I have a few people on my SOC team that have just had decades of experience from enterprise networking or server management they can lean on in addition to their security skills and be excellent. Those same people are more than happy to just punch in and out at the end of the day without caring deeply about the field.

What you do need to be passionate about is being good at your job regardless of what it is.

This. There is nothing wrong with doing the world's work and doing it well, even if one's passions lie elsewhere.

CommieGIR
Aug 22, 2006

If Godzilla can do it, you know I can deliver!


Pillbug

Diva Cupcake posted:

If you're emotionally invested in your company's security posture, you're on a one-way track to alcoholism and benzos.

Care enough to find motivation to do good work. Have enough "don't care" to not overload your brain with anxiety and stress.

I'd argue being emotionally invested IS the one way track to alcoholism. If you work in Infosec, you'd better have a strong sense of humor and tough skin to having your advice ignored.

Can't count the number of times I've provided warning after warning only for my advice to be ignored and then the bad thing happens. This is why you document everything and ensure your manager/company contact signs off on risks they refuse to address.

CommieGIR fucked around with this message at 16:41 on Feb 19, 2021

RFC2324
Jun 7, 2012

http 418



CommieGIR posted:

I'd argue being emotionally invested IS the one way track to alcoholism. If you work in Infosec, you'd better have a strong sense of humor and tough skin to having your advice ignored.

Can't count the number of times I've provided warning after warning only for my advice to be ignored and then the bad thing happens. This is why you document everything and ensure your manager/company contact signs off on risks they refuse to address.

This sounds like I should move to infosec. Even my coworkers ignore my(security oriented) advice.

No one wants to take the extra steps to secure customer pii

Mantle
May 15, 2004


CyberPingu posted:

Depends on what country you live in. Also depends on the job role. Technically you could use offensive skills in a defensive "blue team" role that could net you a security engineer role that is comparable with dev salaries and seems to have a higher ceiling, this is the route I'm going down currently

This seems interesting. At what point does dabbling in red team skills become valuable in a blue team role? Is doing it for fun valuable or is it more something you have to be serious about?

CommieGIR
Aug 22, 2006

If Godzilla can do it, you know I can deliver!


Pillbug

RFC2324 posted:

This sounds like I should move to infosec. Even my coworkers ignore my(security oriented) advice.

No one wants to take the extra steps to secure customer pii

If you point out a security issue, document it and escalate. If the manager signs off on it: Congrats, they own the risk. You are half way to being an effective Security Engineer.

RFC2324
Jun 7, 2012

http 418



CommieGIR posted:

If you point out a security issue, document it and escalate. If the manager signs off on it: Congrats, they own the risk. You are half way to being an effective Security Engineer.

For me its usually bringing things I see up to customers, because its not part of my company's security beyond certain paid for baselines(like pointing out to a customer that they had a bunch of stuff that was technically pii on an open share, but was not data most would want protected, like resumes), or having coworkers tell me their terrible techniques for trivializing the password policy. Nothing that would actually have action taken in my current role

CyberPingu
Sep 15, 2013



Mantle posted:

This seems interesting. At what point does dabbling in red team skills become valuable in a blue team role? Is doing it for fun valuable or is it more something you have to be serious about?

If you enjoy doing then do it for fun, that's how I started. You could always do bug bounty stuff on the side.

For the first question. It always helps knowing how the red team are trying to get in, what tools and methods they have at their disposal.

DrDork
Dec 29, 2003
commanding officer of the Army of Dorkness

Mantle posted:

This seems interesting. At what point does dabbling in red team skills become valuable in a blue team role? Is doing it for fun valuable or is it more something you have to be serious about?

At the point where the topics / systems you're dabbling in on the red side overlap with the topics / systems you're trying to defend on the blue side. Like if your blue-side job is just to push butan to manage users or something else terribly mundane, it might never matter. But if your role lets you have actual input on things, being able to understand how a malicious user can attack or exploit your system is always useful knowledge.

If you're doing something for "fun" you shouldn't be worrying about if it's "valuable"--it's fun! You're not gonna end up as a Srs Business security researcher just doodling around for fun, but learning things that could be useful in a current/future job is never bad.

Achmed Jones
Oct 16, 2004





eh, i used to be really into infosec stuff. then i had a kid and also it went from a hobby to my job. i'm good at it, but i spend my down time playing with my son or the puppy or whatever. i'm good at my job, but i also clock out at the end of the day.

the whole "you have to be passionate" thing is total bullshit. you only have to be passionate in fields that make you eat poo poo, like academia. we're computer touchers- we get paid exorbitant amounts of money to do things that are basically physically non-damaging (compared to labor at least). here it's fine to just be good. you can still come up with novel attacks, defenses, and architectures without putting in 60 hour weeks or whatever other definition of "passion" you want to use.

SpaceSDoorGunner
May 4, 2018




I was gonna say I know medical doctors that are just in it for the cash and prestige.

I know a lot more about medicine that I do infosec so far but if people are willing to go into a profession that basically means youíre studying an average of 4-6 hours a day while also working and going to classes and school almost full time for 4 more years and then do the residency hell just in the hope of a big paycheck or their parents loving them I canít imagine engineering is that different. Obviously the vast majority love it but not all.

CLAM DOWN
Feb 13, 2007


RICKARUS

It's Moot baby!




Being "passionate" about something does not equate whatsoever to not having work/life balance, working 60+ hours/week, being "emotionally invested" in a company, etc. Some of you are taking making huge extrapolations and leaps here and clearly have wild definitions of "passionate".

Adbot
ADBOT LOVES YOU

BlankSystemDaemon
Mar 13, 2009

System Access Node Not Found



My life philosophy is to work to live, not live to work.
That basically means doing fair work for fair pay.

That my hobbies sometimes overlap is just a value-add for my employer, but if my hobbies change it doesn't mean I'm going to work more unless I'm also paid a commensurate amount.

BlankSystemDaemon fucked around with this message at 12:01 on Feb 20, 2021

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply