Little Pig, Little Pig! Let Me Admin! (Security Thread)

User avatar
Mongrel
Posts: 13232
Joined: Mon Jan 20, 2014 6:28 pm
Location: Canadumb

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Tue Oct 16, 2018 1:20 am

Shit, I already don't trust security updates.
Image

User avatar
Brentai
Woah Dangsaurus
Posts: 2632
Joined: Mon Jan 20, 2014 2:40 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Brentai » Tue Oct 16, 2018 11:00 am

Yeah, it's probably actually good for people to not blindly accept that everything a corporation pushes onto their system is going to be for their protection and benefit. I like the idea of the general public becoming more skeptical about everything being connected and modifiable by a remote party. That's probably a better move for WAN security than "Let's definitely assume every printer, refrigerator and air filter manufacturer is going to reliably secure its firmware."
Image

User avatar
Thad
Posts: 7195
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Tue Oct 16, 2018 11:24 am

It would be if the result was going to be "learn more about security and make sure you handle it personally, or get somebody who knows how to help you."

You know that's not going to be the result. The result is going to be that end users refuse any updates they're given a chance to refuse, and publishers respond by making it increasingly difficult to refuse updates.

That is not a good result. In the absolute best-case scenario, it takes us back to where we were before automatic updates, except back then most households only had one or two unsecure computers.

User avatar
Brentai
Woah Dangsaurus
Posts: 2632
Joined: Mon Jan 20, 2014 2:40 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Brentai » Tue Oct 16, 2018 12:01 pm

Well no I was hoping it would result in "End users become skeptical of unnecessary connectivity." The best way to secure your printer is don't put a separate client on your printer.

So yes, I guess I'm pushing for that exact best-case.
Image

User avatar
Thad
Posts: 7195
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Tue Oct 16, 2018 2:46 pm

OK, yeah, I'll buy that. I think networked printers are here to stay, but a lot of consumers DO seem to be getting more wary about the IoT, and that's a win.

That said, MS's update tactics over the past few years are similarly dangerous.

User avatar
beatbandito
Posts: 2746
Joined: Tue Jan 21, 2014 8:04 am

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby beatbandito » Tue Oct 16, 2018 2:55 pm

I fell into a Microsoft "security update" trap a couple months back, myself.

I kept getting notifications to connect my work laptop to a windows live account or otherwise an accident may happen to all my poor data, and no one wants that. I couldn't put the time into making it go away permanently, since it's not like closing it and disabling notifications should do that or anything, and finally just logged in to my existing account to link them.

It then proceeded to completely fuck all the network connections to my laptop, because I wasn't actually just linking to a WL account, I was replacing my user account with it.
Image

User avatar
Büge
Posts: 3306
Joined: Mon Jan 20, 2014 6:56 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Büge » Tue Oct 16, 2018 10:54 pm

beatbandito wrote:I kept getting notifications to connect my work laptop to a windows live account or otherwise an accident may happen to all my poor data, and no one wants that.


That's not a security update. That's a protection racket.
Image

User avatar
Büge
Posts: 3306
Joined: Mon Jan 20, 2014 6:56 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Büge » Tue Dec 18, 2018 9:19 am

Image

User avatar
beatbandito
Posts: 2746
Joined: Tue Jan 21, 2014 8:04 am

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby beatbandito » Wed Feb 20, 2019 12:05 pm

I use a... 'network of doctors' I guess is the terrible name for only ever having to go to one building for specialists, and they have their own app to coordinate scheduling, patient information, payment information, and the like.

The other day I got the account disabled by trying too many incorrect passwords. Today it still wont let me in and gives a number to call to restore access. I give that number, give my name and birthday, and he reset the password.

This isn't to say he started the password recovery process or sent me an email with how to restore the information. The operator said "okay, your password is 1234 now, so use that to sign in and then change it back to whatever you want."

Which is... frightening.
Image

User avatar
Thad
Posts: 7195
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Sat May 25, 2019 11:45 am

First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records

Bush league shit. You view a document, it has a URL ending in a number; if you manually enter other numbers, you can see other documents.

Say, you guys remember that temp job I had where I was working in a warehouse, and my bosses tried to get me promoted to desktop architecture, but management in Santa Ana declined and laid me off at Christmas? Yeah, these fucking guys.

I'm not saying "you know, if they'd given me that promotion, this wouldn't have happened," because who knows where I'd be right now if I'd gotten that desktop architecture gig; there's certainly no guarantee I would have wound up in web development, or even a job where I'd ever look at that website.

But I am saying that FATco had at least one worker who was a competent web developer who would have spotted this if he'd ever been given the opportunity, and with a staff of 18,000, I bet I wasn't the only one.

User avatar
Mazian
Posts: 312
Joined: Sat Jan 25, 2014 3:47 pm
Location: Lullaby Supermarket

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mazian » Sat May 25, 2019 12:52 pm

Lovely. I'd be in those records.

I look forward to nothing happening, or receiving a form letter about how customer privacy is always their top priority, and then nothing happening.

User avatar
Mongrel
Posts: 13232
Joined: Mon Jan 20, 2014 6:28 pm
Location: Canadumb

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Fri Oct 18, 2019 2:11 pm



I will say that the only thing that really makes this all that notable is that not doing shit like this is ostensibly their primary purpose.
Image

User avatar
Brentai
Woah Dangsaurus
Posts: 2632
Joined: Mon Jan 20, 2014 2:40 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Brentai » Fri Oct 18, 2019 2:32 pm

They're also one of those entities that's allowed access to deeply sensitive information even if you have no business relationship with them.
Image

User avatar
Mongrel
Posts: 13232
Joined: Mon Jan 20, 2014 6:28 pm
Location: Canadumb

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Mon Oct 21, 2019 2:37 am



lmao
Image

User avatar
Thad
Posts: 7195
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Mon Oct 21, 2019 12:11 pm

Here's what I had to say about that in 2017. My opinion is unchanged.

Thad wrote:Equifax CIO and CSO "retire".

Seeing a lot of misogynistic commentary directed at the CSO, Susan Mauldin, mostly over a LinkedIn profile that showed she had degrees in music composition -- it also shows she'd held security positions at other companies, but everybody seems awfully interested in the "composition degrees" part, and it's hard to read those posts as anything but code for "girls can't computer".

It's unclear, at this point, just exactly what happened. We know they didn't patch a serious Struts vulnerability, and the Argentina region had a website with admin:admin as the username/password, but going straight from "someone made some very bad security decisions" to "music major" is awfully reductive.

It's entirely possible that this resulted from decisions that Mauldin made personally. And even if it didn't, the buck stops with the CSO; firing her was the right and necessary call.

Somebody -- almost certainly multiple somebodies -- fucked up here. It's entirely possible that Mauldin was an incompetent CSO who was either unaware of a serious vulnerability, or was aware of it and chose not to plug it in a timely fashion. It's also possible that she tried but was stymied by other executives (this isn't a simple matter of installing a patch; it would have meant installing a patch and then recompiling every Struts project on every website, which is exactly the kind of risky, time-consuming, and expensive process a short-sighted executive might put the kibosh on, and whatever else we know about Equifax at this point, we definitely know it is a company with short-sighted executives). Time will tell, and I'm sure there's plenty of blame to go around.

It may very well be that most of the blame rests with the CSO; it may very well be that she was dangerously unqualified. But I think too many people are drawing that conclusion too early, based on nothing more than a LinkedIn profile.


Here's a related article from the WaPo: Equifax’s security chief had some big problems. Being a music major wasn’t one of them.

User avatar
Mongrel
Posts: 13232
Joined: Mon Jan 20, 2014 6:28 pm
Location: Canadumb

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Mon Oct 21, 2019 2:15 pm

I wish that article had had literally anything on what, if any, mistakes HAD been committed by Equifax's security department.

As it stands, it's still a solid rebuttal of the general idea that a tech person needs specific formal qualifications, but does nothing to defend that CSO specifically (other than noting she did hold previous tech positions, though nothing particularly notable).
Image

Who is online

Users browsing this forum: No registered users and 2 guests