this post was submitted on 23 Oct 2023
415 points (97.5% liked)

Ask Lemmy

26890 readers
3358 users here now

A Fediverse community for open-ended, thought provoking questions

Please don't post about US Politics. If you need to do this, try [email protected]


Rules: (interactive)


1) Be nice and; have funDoxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them


2) All posts must end with a '?'This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?


3) No spamPlease do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.


4) NSFW is okay, within reasonJust remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either [email protected] or [email protected]. NSFW comments should be restricted to posts tagged [NSFW].


5) This is not a support community.
It is not a place for 'how do I?', type questions. If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email [email protected]. For other questions check our partnered communities list, or use the search function.


Reminder: The terms of service apply here too.

Partnered Communities:

Tech Support

No Stupid Questions

You Should Know

Reddit

Jokes

Ask Ouija


Logo design credit goes to: tubbadu


founded 1 year ago
MODERATORS
 

One chestnut from my history in lottery game development:

While our security staff was incredibly tight and did a generally good job, oftentimes levels of paranoia were off the charts.

Once they went around hot gluing shut all of the "unnecessary" USB ports in our PCs under the premise of mitigating data theft via thumb drive, while ignoring that we were all Internet-connected and VPNs are a thing, also that every machine had a RW optical drive.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 257 points 1 year ago (27 children)

Often times you’ll find that the crazy things IT does are forced on them from higher ups that don’t know shit.

A common case of this is requiring password changes every x days, which is a practice that is known to actively make passwords worse.

[–] [email protected] 103 points 1 year ago (2 children)

Or it prompts people to just stick their "super secure password" with byzantine special character, numeral, and capital letter requirements to their monitor or under their keyboard, because they can't be arsed to remember what nonsensical piece of shit they had to come up with this month just to make the damn machine happy and allow them to do their jobs.

[–] [email protected] 44 points 1 year ago* (last edited 1 year ago) (15 children)

I do this in protest of asinine password change rules.

Nobody's gonna see it since my monitor is at home, but it's the principle of the thing.

load more comments (15 replies)
load more comments (1 replies)
[–] [email protected] 38 points 1 year ago

The DOD was like this. And it wasn't just that you had to change passwords every so often but the requirements for those passwords were egregious but at the same time changing 1 number or letter was enough to pass the password requirements.

[–] [email protected] 24 points 1 year ago (4 children)

I'm in IT security and I'm fighting this battle. I want to lessen the burden of passwords and arbitrary rotation is terrible.

I've ran into a number of issues at my company that would give me the approval to reduce the frequency of expired passwords

  • the company gets asked this question by other customers "do you have a password policy for your staff?" (that somehow includes an expiration frequency).

  • on-prem AD password complexity has some nice parts built in vs some terrible parts with no granularity. It's a single check box in gpo that does way too much stuff. I'm also not going to write a custom password policy because I don't have the skill set to do it correctly when we're talking about AD, that's nightmare inducing. (Looking at specops to help and already using Azure AD password protection in passive mode)

  • I think management is worried that a phishing event happens on a person with a static password and then unfairly conflating that to my argument of "can we just do two things: increase password length by 2 and decrease expiration frequency by 30 days"

At the end of the day, some of us in IT security want to do the right things based in common sense but we get stymied by management decisions and precedence. Hell, I've brought NIST 800-63B documentation with me to check every reason why they wouldn't budge. It's just ingrained in them - meanwhile you look at the number of tickets for password help and password sharing violations that get reported ... /Sigh

load more comments (4 replies)
load more comments (24 replies)
[–] [email protected] 149 points 1 year ago (10 children)

Banned open source software because of security concerns. For password management they require LastPass or that we write them down in a book that we keep on ourselves at all times. Worth noting that this policy change was a few months ago. After the giant breach.

And for extra absurdity: MFA via SMS only.

I wish I was making this up.

[–] [email protected] 86 points 1 year ago (1 children)

Banning open source because of security concerns is the opposite of what they should be doing if they care about security. You can't vet proprietary software.

[–] [email protected] 38 points 1 year ago

It's not about security, it's about liability. You can't sue OSS to get shareholders off your back.

[–] [email protected] 30 points 1 year ago

Do you work for a government?

load more comments (8 replies)
[–] [email protected] 125 points 1 year ago (11 children)

Took away Admin rights, so everytime you wanted to install something or do something in general that requires higher privileges, we had to file a ticket in the helpdesk to get 10 minutes of Admin rights.

The review of your request took sometimes up 3 days. Fun times for a software developer.

[–] [email protected] 54 points 1 year ago (2 children)

We worked around this at my old job by getting VirtualBox installed on our PCs and just running CentOS or Ubuntu VMs to develop in. Developing on windows sucks unless you're doing .NET imo.

load more comments (2 replies)
[–] [email protected] 43 points 1 year ago

Oh shit, you just reminded me of the time that I had to PHONE Macromedia to manually activate software because of the firewalling. This was after waiting days to get administrative permission to install it in the first place.

"Thank you" for helping resurface those horrible memories!

I don't miss those days.

[–] [email protected] 31 points 1 year ago (2 children)

3 days? That's downright speedy!

I submitted a ticket that fell into a black hole. I have long since found an alternate solution, but am now keeping the ticket open for the sick fascination of seeing how long it takes to get a response. 47 days and counting...

load more comments (2 replies)
load more comments (8 replies)
[–] [email protected] 105 points 1 year ago (3 children)

Over 150 Major Incidents in a single month.

Formerly, I was on the Major Incident Response team for a national insurance company. IT Security has always been in their own ivory tower in every company I've worked for. But this company IT Security department was about the worst case I've ever seen up until that time and since.

They refused to file changes, or discuss any type of change control with the rest of IT. I get that Change Management is a bitch for the most of IT, but if you want to avoid major outages, file a fucking Change record and follow the approval process. The security directors would get some hair brained idea in a meeting in the morning and assign one of their barely competent techs to implement it that afternoon. They'd bring down what ever system they were fucking with. Then my team had to spend hours, usually after business hours, figuring out why a system, which had not seen a change control in two weeks, suddenly stopped working. Would security send someone to the MI meeting? Of course not. What would happen is, we would call the IT Security response team and ask if anything changed on their end. Suddenly 20 minutes later everything was back up and running. With the MI team not doing anything. We would try to talk to security and ask what they changed. They answered "nothing" every god damn time.

They got their asses handed to them when they brought down a billing system which brought in over $10 Billion (yes with a "B") a year and people could not pay their bills. That outage went straight to the CIO and even the CEO sat in on that call. All of the sudden there was a hard change freeze for a month and security was required to file changes in the common IT record system, which was ServiceNow at the time.

We went from 150 major outages (defined as having financial, or reputation impact to the company) in a single month to 4 or 5.

Fuck IT Security. It's a very important part of of every IT Department, but it is almost always filled with the most narcissistic incompetent asshats of the entire industry.

[–] [email protected] 43 points 1 year ago (7 children)

Jesus Christ I never thought id be happy to have a change control process

load more comments (7 replies)
load more comments (2 replies)
[–] [email protected] 89 points 1 year ago (3 children)

Set the automatic timeout for admin accounts to 15 minutes....meaning that process that may take an hour or so you have to wiggle the mouse or it logs out ..not locks.... logs out

From installs to copying log files, to moving data to reassigning owner of data to the service account.

[–] [email protected] 53 points 1 year ago (18 children)

And that's why people use mouse jigglers and keep their computers unlocked 24/7.

load more comments (18 replies)
load more comments (2 replies)
[–] [email protected] 75 points 1 year ago (7 children)

One IT security team insisted we have separate source code repositories for production and development environments.

I’m honestly not sure how they thought that would work.

[–] [email protected] 25 points 1 year ago* (last edited 1 year ago) (1 children)

That's fucking bananas.

In my job, the only difference between prod/dev is a single environmental file. Two repositories would literally serve no purpose and if anything, double the chances of having the source code be stolen.

load more comments (1 replies)
load more comments (6 replies)
[–] [email protected] 53 points 1 year ago* (last edited 1 year ago) (3 children)

Not my IT department (I am my IT department): One of the manufacturers for a brand of equipment we sell has a "Dealer Resource Center," which consists solely of a web page where you can download the official product photography and user's manuals, etc. for their products. This is to enable you to list their products on your e-commerce web site, or whatever.

Apparently whoever they subcontracted this to got their hands on a copy of Front End Dev For Dummies, and in order to use this you must create a mandatory account with minimum password complexity requirements, and solve a CAPTCHA every time you log in. They also require you to change your password every 60 days, and if you don't they lock your account and you have to call their tech support.

Three major problems with this:

  1. There is no verification check that you are actually an authorized dealer of this brand of product, so any fool who finds this on Google and comes up with an email address can just create an account and away you go downloading whatever you want. If you've been locked out of your account and don't feel like picking up the telephone -- no problem! Just create a new one.

  2. There is no personalized content on this service. Everyone sees the same content, and it's not like there's a way to purchase anything on here or anyway, and your "account" stores no identifying information about you or your dealership that you feel like giving it other than your email address. You are free to fill it out with a fake name if you like; no one checks. You could create an account using [email protected] and no one would notice.

  3. Every single scrap of content on this site is identical to the images and .pdf downloads already available on the manufacturer's public web site. There is no privileged or secure content hosted in this "Resource Center" whatsoever. The pictures aren't higher res or anything. Even the file names are the same. It's obviously hooked up to the same backend as the manufacturer's public web site. So if there were such a thing as a "bad actor" who wanted to obtain a complete library of glamor shots of durable goods, for some reason, there's nothing stopping them from scraping the public web site and coming up with literally exactly the same thing.

It's baffling.

load more comments (3 replies)
[–] [email protected] 50 points 1 year ago (3 children)

Hasn't made life hell, but the general dumb following of compliance has left me baffled:

  • users must not be able to have a crontab. Crontab for users disabled.
  • compliance says nothing about systemd timers, so these work just fine 🤦

I've raised it with security and they just shrugged it off. Wankers.

load more comments (3 replies)
[–] [email protected] 49 points 1 year ago (1 children)

I had to run experiments that generate a lot of data (think hundreds of megabytes per minute). Our laptops had very little internal storage. I wasn't allowed to use an external drive, or my own NAS, or the company share - instead they said "can't you just delete the older experiments?"... Sure, why would I need the experiment data I'm generating? Might as well /dev/null it!

load more comments (1 replies)
[–] [email protected] 47 points 1 year ago (3 children)

Mozilla products banned by IT because they had a vulnerability in a pervious version.

RantIt was so bullshit. I had Mozilla Firefox 115.1 installed, and Mozilla put out an advisory, like they do all the fucking time. Fujitsu made it out to be some huge huge unfixed bug the very next day in an email after the advisory was posted and the email chain basically said "yk, we should just remove all Firefox. It's vulnerable so it must be removed."

I wouldn't be mad if they decided that they didn't want to have it be a managed app or that there was something (actually) wrong with it or literally anything else than the fact that they didn't bother actually reading either fucking advisory and decided to nuke something I use daily.

load more comments (3 replies)
[–] [email protected] 47 points 1 year ago (2 children)

Removed admin access for all developers without warning and without a means for us to install software. We got access back in the form of a secondary admin account a few days later, it was just annoying until then.

[–] [email protected] 32 points 1 year ago* (last edited 1 year ago) (1 children)

I had the same problem once. Every time I needed to be an admin, I had to send an email to an outsourced guy in another country, and wait one hour for an answer with a temporary password.

With WSL and Linux, I needed to be admin 3 or 4 times per day. I CCed my boss for every request. When he saw that I was waiting and doing nothing for 4 hours every day, he sent them an angry email and I got my admin account back.

The stupid restriction was meant for managers and sales people who didn’t need an admin account. It was annoying for developers.

load more comments (1 replies)
load more comments (1 replies)
[–] [email protected] 45 points 1 year ago

Admin access needed to change the clock, which was wrong. Missed a train because of that.

[–] [email protected] 45 points 1 year ago (6 children)

We cant run scripts on our work laptop because of domain policy. Thing is, I am a software developer. They also do not allow docker without some heavy approval process, nor VMs. So im just sitting here remoting into a machine for development...which is fine but the machine is super slow. Also their VPN keeps going down, so all the software developers have to reconnect periodically all at the same time.

At my prior jobs, it was all open so it was very easy to install the tools we needed or get approval fairly quickly. Its more frustrating than anything. At least they give us software development work marked months out.

[–] [email protected] 23 points 1 year ago* (last edited 1 year ago) (1 children)

I cannot remember the specifics because it's going back almost 15 years now but at one point...crontab (edit and other various vital tools) was disabled by policy.

To get necessary processes/cleanup done at night, I used a scheduled task on a Windows PC to run a BAT that opened a macro program which opened a remote shell and "typed" the commands.

Fuuuuuuck.

load more comments (1 replies)
[–] [email protected] 22 points 1 year ago (2 children)

My dev pc isn't allowed to be connected to the internet :D

load more comments (2 replies)
load more comments (4 replies)
[–] [email protected] 45 points 1 year ago (1 children)

Locked down our USB ports. We work on network equipment that we have to use the USB port to log in to locally.

load more comments (1 replies)
[–] [email protected] 43 points 1 year ago (11 children)

ZScaler. It's supposedly a security tool meant to keep me from going to bad websites. The problem is that I'm a developer and the "bad website" definition is overly broad.

For example, they've been threatening to block PHP.Net for being malicious in some way. (They refuse to say how.) Now, I know a lot of people like to joke about PHP, but if you need to develop with it, PHP.Net is a great resource to see what function does what. They're planning on blocking the reference part as well as the software downloads.

I've also been learning Spring Boot for development as it's our standard tool. Except, I can't build a new application. Why not? Doing so requires VSCode downloading some resources and - you guessed it - ZScaler blocks this!

They've "increased security" so much that I can't do my job unless ZScaler is temporarily disabled.

load more comments (11 replies)
[–] [email protected] 42 points 1 year ago* (last edited 1 year ago) (1 children)

They set zscaler so that if I don't access an internal service for an unknown number of months, it means I don't need it "for my daily work", so they block it. If I want to access it again I need to open a ticket. There is no way to know what they closed and when they'll close something.

In 1 months since this policy is active, I already have opened tickets to access test databases, k8s control plane, quality control dashboards, tableau server...

I really cannot comment how wrong it is.

[–] [email protected] 30 points 1 year ago (2 children)

Zscaler is one of the worst products I've had the displeasure to interact with. They implemented it at my old job and it said that my home Internet connection was insecure to connect to the VPN. Cyber Sec guys couldn't figure out the issue because the logs were SO helpful.

Took working with their support to find that it has somehow identified my nonstandard address spacing on my LAN to be insecure for some reason.

I kept my work laptop on a separate vlan for obvious reasons.

load more comments (2 replies)
[–] [email protected] 41 points 1 year ago (4 children)

Worked a job where I had to be a Linux admin for a variety of VMs. To access them, I needed an VPN that only worked inside the company LAN, and blocked internet access. it was a 30 day trial license on day 700somthing, so it had a max 5 simultaneous connection limit. Access was from my heavily locked down laptop. Windows 7 with 5 minutes locking Screensaver. The ssh software was an unknown brand, "ssh.exe" which only allowed one connection at a time in a 80 x 24 console window with no ability to copy and paste. This went to a bastion host, an HPUx box on an old csh shell with no write access to your home directory due to a 1.4mb disk quota per user. Only one login per user, ten login max, and the bastion host was the only way to connect to the Linux VMs. Default 5 minute logout for inactivity. No ssh keys allowed. No scripting allowed, was like typing over 9600 baud.

I quit that job. When asked why, I told them I was a Linux administrator and the job was not allowing me to administrate. I was told "a poor carpenter always blames his tools." Yeah, fuck you.

load more comments (4 replies)
[–] [email protected] 40 points 1 year ago

Here in Portugal the IT guys at the National Health Service recently blocked access to the Medical Doctor's Union website from inside the national health service intranet.

The doctors are currently refusing to work any more overtime than the annual mandatory maximum of 150h so there are all sorts of problems in the national health service at the moment, mainly with hospitals having to close down emergency services to walk-in patients (this being AskLemmy, I'll refrain from diving into the politics of it) so the whole things smells of something more than a mere mistake.

Anyways, this has got to be one of the dumbest abuses of firewalling "dangerous" websites I've seen in a long while.

[–] [email protected] 38 points 1 year ago (1 children)

Oh man. Huge company I used to work for had:

  • two separate Okta instances. It was a coin toss as to which one you'd need for any given service

  • oh, and a third internally developed federated login service for other stuff

  • 90 day expiry for all of the above passwords

  • two different corporate IM systems, again coin toss depending on what team you're working with

  • nannyware everywhere. Open Performance Monitor and watch network activity spike anytime you move your mouse or hit a key

  • an internally developed secure document system used by an international division that we were instructed to never ever use. We were told by IT that it "does something to the PC at a hardware level if you install the reader and open a document" which would cause a PC to be banned from the network until we get it replaced. Sounds hyperbolic, but plausible given the rest of the mess.

  • required a mobile authenticator app for some of the above services, yet the company expected that us grunts use our personal devices for this purpose.

  • all of the above and more, yet we were encouraged to use any cloud hosted password manager of our choosing.

load more comments (1 replies)
[–] [email protected] 38 points 1 year ago (7 children)

I am not allowed to change my wallpaper.

load more comments (7 replies)
[–] [email protected] 37 points 1 year ago (2 children)

Blocked the OWASP web site because it was categorized as “hacking materials”.

load more comments (2 replies)
[–] [email protected] 36 points 1 year ago (7 children)

We have a largeish number of systems that IT declared catheorically could not connect directly to the Internet for any reason.

So guess what systems weren't getting updates. Also guess what systems got overwhelmed by ransomware that hit what would have been a patched vulnerability, that came through someone's laptop that was allowed to connect to the Internet.

My department was fine, because we broke the rules to get updates.

So did network team admit the flaw in their strategy? No, they declared a USB key must have been the culprit and they literally went into every room and confiscated all USB keys and threw them away, with quarterly audits to make sure no USB keys appear. The systems are still not being updated and laptops with Internet connection are still indirectly bridging them.

load more comments (7 replies)
[–] [email protected] 36 points 1 year ago (5 children)
load more comments (5 replies)
[–] [email protected] 35 points 1 year ago (3 children)

The network has been subnetted into departments. Problem: I, from development, get calls from service about devices that have issues. Before the subnetting, they simply told me the serial number, and I let my army of diagnosis tools hit the unsuspecting device to get an idea what's up with it. Now they have to bring it over and set up all the attached devices here so I can run my tests.

load more comments (3 replies)
[–] [email protected] 31 points 1 year ago (1 children)

Worked at a medium sized retail startup as a software engineer where we didn't have root access to our local laptops, under the guise of "if you fuck it up we won't be able to fix it" but we only started out with a basic MacBook setup. so every time I wanted to install a tool, ide, or VM I had to make a ticket to IT to come and log in with the password and explain what I was doing.

Eventually, the engineering dept bribed an IT guy to just give us the password and started using it. IT MGMT got pissed when the number of tickets dropped dramatically and realized what was going on.

We eventually came to the compromise that they gave us sudo access with the warning "we're not backing anything up. If you mess up we'll have to factory reset the whole machine". Nobody ever had to factory reboot their machine because we weren't children... And if there was an issue we just fixed it ourselves

load more comments (1 replies)
[–] [email protected] 30 points 1 year ago (2 children)

A long time ago in a galaxy far away (before the internet was a normal thing to have) I provided over-the-phone support for a large and complex piece of software.

So, people would call up and you had to describe how they could do the thing they needed to do, and if that failed they would have to wait a few days until you went to the site to sort it in person.

The software we supported was not on the approved list for the company I worked for, so you couldn't use it within the building where the phones were being answered.

load more comments (2 replies)
[–] [email protected] 30 points 1 year ago (1 children)

There was a server I inherited from colleagues who resigned, mostly static HTML serving. I would occasionally do a apt update && apt ugrade to keep nginx and so updated and installed certbot because IT told me that this static HTML site should be served via HTTPS, fair enough.

Then I went on parental leave and someone blocked all outgoing internet access from the server. Now certbot can't renew the certificate and I can't run apt. Then I got a ticket to update nginx and they told me to use SSH to copy the files needed.

load more comments (1 replies)
[–] [email protected] 24 points 1 year ago (1 children)

Endless approval processes are a good one. They don't even have to be nonsensical. Just unnecessarily manual, tedious, applied to the simplest changes, with long wait times and multiple steps. Add time zone differences and pile up many different ones, and life becomes hell.

load more comments (1 replies)
[–] [email protected] 24 points 1 year ago* (last edited 1 year ago) (1 children)

Ours is terrible for making security policy that will impact technical solution options in a vacuum with a few select higher level IT folks and no one sorts out the process to using the new "secure" way first. Ending up in finding out something you thought would be a day or 2 task ends up being a weeks long odyssey to define new processes and technical approaches. Or sometimes just out right abandoning the work because the headache isn't worth it.

load more comments (1 replies)
[–] [email protected] 22 points 1 year ago

Made me write SQL updates that had to be run by someone in a different state with pretty much no knowledge of SQL.

load more comments
view more: next ›