sylver_dragon @ sylver_dragon @lemmy.world

Posts

4

Comments

953

Joined

2 yr. ago

It was the Limon 7 ones. I would have never remembered that. But seeing them now, yup that's them.

I don't think so. I recall Fundip being in large pouches with the pressed sugar sticks for dipping. These packets were a lot smaller and didn't come with the stick.

Ya, I know that's exactly what's going to happen. But, you have to start somewhere. Just getting management used to the idea that data must be encrypted is a start. That will then push the software vendors in the space to make fundamental changes, which will hopefully improve things a bit.

I actually have a pretty good example from my time in the US FedGov space. We were required (by our checkbox security) to enforce FIPS-140 compliance on all our systems. When working to setup a server for a new product, it just would not run with FIPS-140 in enforcement mode; so, I started digging into the product and found that they were still using the MD5 algorithm in their user password hashing process. Given how much the vendor really wanted our business (we were their "foot in the door" for more FedGov money), I sent an email to our customer service rep essentially saying "ya, MD5 as part of the password hashing is a deal breaker". A couple weeks later a new version of the product dropped and surprise, surprise, MD5 was no longer part of the password hashing process.

The reliance on checkboxes sucks; but, they can be a useful club to make improvements. A shift to real security takes time and a lot of effort. But, that journey starts with a first step.

Yes, Ubuntu version 16.04 was called Xenial Xerus.

Similar age and ya, I remember sour packets being popular in middle school. Can't recall the name, but it was similar to the artificial sugar packets used for coffee, except it had a mixture of sugar and citric acid (the "sour" flavoring) in them.

While I'm not a fan of checkbox security. Given that major parts of the healthcare industry don't even seem to get over that bar, maybe it's time to put something in place to give network defenders a lever to pull on to get the basics sorted.

Not having MFA and encryption for data at rest should be treated as willful negligence when a company is breached.

Good riddance. I understand the whole Mii thing got popular and Microsoft wanted to chase that wave. But, they were just such an obvious "me too" addition to the XBox 360 at the time and coincided with Microsoft changing out the functional XBox 360 main panel for the ad laden shit-fest that was the newer designs. But, maybe I'm just old and hate superfluous crap between me and playing my games.

Threat actors used an existing backdoor in a communications system to intercept communications in that system? Color me whatever the opposite of "shocked" is. This is exactly the problem which was brought up by security researchers when the NSA was asking for a frontdoor which would let them break encryption. Thankfully, we held the line in that battle of the Crypto Wars. But, the war never ends and we need to make sure folks remember this clusterfuck the next time the NSA starts pushing to break encryption.

he said. “You don’t even have to talk about you’re in a mass firing, a mass exodus. Just tell them they have to come back five days a week from 8 a.m. to 6 p.m.”

Even with a 1 hour lunch, 8am to 6pm would be a 9 hour work day. So, bro is expecting folks to just accept a 45 hour workweek along with a complete return to office. Pretty sure he's going to get his 25% reduction. It's just going to be all of the most talented people saying "fuck that".

He chased a ball into the street.

It just depends on which type of racing game you are in the mood for. Mario Kart is well, Mario Kart. F-Zero always felt more like the older, arcade style racer in the vein of Out Run.

It may be a case of laziness which has started creating a local dialect. This is one of the ways living languages change over time, people start sluring words and sounds together until there is almost nothing left of the original words and there is a new word in their place.

Na, my experience is that Defender is fine with users downloading browsers and "updates" from random Russian sites. It's happy to let the users install that software and only bothers to log a "hey, maybe this was bad" alert some time later. Edge, on the other hand, loses it's shit when you visit the official download sites for Chrome or FireFox.

You only get a short time with the pointy end of the spear and then once a sword wielder is inside your range, you’ve got an unwieldy stick and they have a sword. Good for stand off melee maybe but prob not.

Yes, but getting in close without getting stabbed is really hard.
Here's an actual example of modern HEMA folks giving it a lot of goes:
https://www.youtube.com/watch?v=uLLv8E2pWdk

For a similar story, which isn't a urban legend. My mother used to be the main resource for an archeological information center in the US Southwest. When work crews dug up a body, she'd get a call from the coroner to ask, "is it yours or mine?" While both are going to want to know the cause of death, the coroner isn't going to open a criminal case for a Native America burial.

Do you think it's okay to not have an opinion on something?

Yes, absolutely. There are enough issues in the world that you probably don't know about a lot of them. And even once you are made aware of an issue, you likely don't have enough information to form a well considered opinion. It's also possible that you will never have enough information on an issue to have a well formed opinion. You only have so many hours in a day and, unless an issue impacts you directly, it's quite possible that you just won't have the time to put into it. There's no reason to feel bad about this, the issues that are most important to me may not be the issues which are most important to you.

How important is it to educate myself and ask questions?

Very important. If you are going to have an opinion on something, you should try to have a basic understanding of the issue. You'll never be an expert on everything; but, for issues which you truly care about, you should have at least a passing understanding of the subject matter. Also, asking questions is always good. If someone is trying to shutdown your asking questions, you should start questioning that person's motives.

Do you feel that pressure to have an opinion on everything?

Nope. One of the big secrets of life is learning to set boundaries. Just because someone else is incredibly passionate about something doesn't mean you need to be. Learn to tell people "fuck you and the horse that came on you". If that bothers them, then that's their problem, not yours. This isn't carte blanche to be an asshole, you should still strive to be a good person and act in pro-social ways. But, it does mean that you can draw a line and not have to own everyone else's problems all the time.

That sounds more like a feature than a bug. I remember when Twitter was actually useful. You could sort by "new" as the default and your feed only included stuff from people you followed. And then it went to complete shit with the sort defaulting to "fuck your preferences", sponsored content and your feed being littered with click bait, paid content and all the other bits of enshitification. And that is all built on the algorithmic selection of content.

Brussel Sprouts. Absolutely hated them as a kid, which I blame my mother for. She "steamed" them in the microwave in a dish with water. Turned them into a slimy, horrible mush. My wife sautes them in a pan, with bacon. It's one of my absolute favorite dishes now.

I don’t see in what way having a PSN account would make Horizon Zero Dawn safer on PC.

It's safer for Sony's stock price, as they can report higher numbers of people on the PlayStation Network and greater "player engagement". What, you thought this was about improving the experience for the customer? No one gives a fuck about them.

Step one, take a deep breath and realize that, unless you own the company, killing yourself to save it is dumb.
That said, there are some things you can do to try and improve thing:

Learn to "talk business". Yup, this one sucks, but it's also the only way you are ever going to get traction. Take that Windows 7 system, why do you want to upgrade it? "Because security", right? Well, how does that translate into costs to the business? Because, businesses don't care about security. I work in cybersecurity for a large (Fortune 500) company and upper management has given exactly zero fucks about security for a very long time. They only started coming around when that lack of security starting costing them real money. They still give zero fucks about security, but they do care about risks to the business and what that might cost them. Having security and money linked in their heads means we can actually implement better security. You need to put the lack of security of that Windows 7 system in terms of dollars potentially lost. Something like the Annualized Loss Expectancy. If that box gets popped, how much would it reasonably cost the business to recover from? Is that something which you expect to happen once a year, once every five years? These numbers will be mostly made up and wildly inaccurate. But, the goal is to just get in the right ballpark. How does that cost compare with the cost to upgrade? What about other possible mitigating controls you could use to protect it? Does it need to have internet access? Could you VLAN it off into it's own little world and keep it running with reduced risk? Give management the expected costs of that system becoming patient zero in a ransomware outbreak and then give them several options and the associated costs (upfront and ongoing) to secure it. Have multiple options. A high cost one (e.g. replace the box), a low cost one (FW and VLAN controls) and the one you actually want right in between (OS Upgrade). Managers are like children, they need to feel like they made a choice, even if you steered them into it.

Next, don't try to boil the ocean. You're not going to fix everything, everywhere, all at once. Get some small wins under your belt and prove to management that you aren't going to break the business. Show that you aren't just some greenhorn cowboy who is going to break the business because you think you are so smart. If you can make a plan for that Windows 7 system, show the costs involved and actually get the job done smoothly, then you might be able to move on to other things. Sure, you might actually be right; but, you could also end up breaking a lot of stuff in your quest to have perfect security (which you'll never actually achieve). Take one one or maybe two things at a time. It's a slow process and it leaves things broke far longer than you will like, but it builds trust and gets more action than just screaming about everything at everyone. Slow is steady, steady is fast.

Moving on, be aware that you probably don't know everything about the business, and the business functioning is paramount. Why does everyone have local admin? Because that's the way it's always been and it has always worked. If you start pulling those permissions back, what processes get broken? This is a tough one, because it means documenting other people's processes, many of which probably only exist in the heads of those people. How often are people moving around critical files using CIFS and the C$ share. It's fucking stupid, but there's a good chance that the number is greater than zero. You pull local admin from people, and now work doesn't get done. If work doesn't get done, the business loses money. You need to have a plan which shows that you have considered these things. Design a slow rollout which phases local admin rights out for the users who are least likely to affect the business. Again, slow is steady, steady is fast.

And thins brings us to another point, auditors are your friends. No really, those folks who come in and ask you where all your documentation is and point out every single flaw in your network, ya, they deserve hugs not hate. You're in healthcare, where does your business fall on regulations like HIPAA (US-centric but similar regulations may apply in other countries)? 'Cause nothing says, "fuck your wallet" to a business quite like failing an audit. If you can link the security failures of the business to required audit controls, that's going to give you tons of ammunition to get stuff done. I've watched businesses move mountains to comply with audit controls. Granted, it all becomes "checkbox security" at some point; but, that is vastly better than nothing.

All that said, company loyalty is a sucker's game. I'm guessing you're early in your career and an early IT career likely means job hopping every 3 years or so. Unless you get a major promotion and associated pay bump in that time, it's probably time to move on. Later in your career, this can slow down as you top out in whatever specialization you choose (or you get lured in by the siren song of management). So, there is that to consider. It might just be time to go find greener pastures and discover that pastures are green because the cows shit all over them. But, it can feel better for a while. Having your resume up to date and flying it out there usually doesn't hurt. Don't job hop too fast or you start to look like a risk (I stick to a 1 year minimum). But, don't stick around trying to save a sinking company.

Along with that, remember that you don't own the company; so, don't let it own you. When you get to the end of your day, go the fuck home. Don't let the business consume your personal time in actions or thoughts. If they place burns, that's the owner's problem, not yours. Do your best while on the clock, do try to make positive changes. But, killing yourself to make the owner just a bit richer makes no sense. The only person who is ever going to truly have your best interests in minds is you, don't lose sight of them. Say it with me, "Fuck you, pay me"

So, where to go from here? Well, you sound like you have a good plan at the moment:

I am also looking into getting my Linux+ (currently only have my A+)

Sounds solid. If you care about security, let me recommend poking your head into the cybersecurity field. I'm am absolutely biased, but I feel it's a fantastic field to be in right now. Following up the Linux+ with the Sec+ can be a great start and maybe the Net+. The A+, Net+, Sec+ trifecta can open a lot of doors. And you now have some IT/systems background, which I always suggest for folks (I look for 3-5 years in IT on resumes). As a lead, I get to be in on interviews and always ask questions about networking, Active Directory, email security and Linux. I don't expect entry level analysts to know everything about all of them; but, I do expect them to be able to hold a conversation about them.

Good luck, whatever path you choose.