I've said it before, and apparently I'll say it again.
1. ...like onions.
2. ...all about risk management.
Good security has layers - a single edge firewall protects against one attack surface...and leaves the rest wide open. AV, host firewalls, etc, all layers that add to overall protection.
Which layers do you need? Depends on the risk your devices pose. Database of PII/PHI? Damn right you need all those layers. Dev box? Maybe not.
CVE-2018-16864 : exploitable since 2016
CVE-2018-16865 : exploitable since 2013
CVE-2018-16866 : exploitable since 2015 ( but fixed by mistake on 08/2018 )
- brick PC bugs ( EFI erase ) ✔️
- Many account of unbootable machines after an upgrade: ✔️
- Uncountable vulns since years ✔️
Seriously, what is gonna take for distro to finally put back systemdD(isaster) to the dump trash it belongs ??
Oh, and any linux distro lead willing to share the huge hush money they must have won to accept that utter shitty piece of trash in the first place ?
I don't see any other reasons now...
If your website has password complexity requirements...maybe you should actually TELL PEOPLE. Don't just fail and give a generic "Our site is broken" page.
I'm looking at you, GlobalKnowledge.
My randomly-generated password from my vault was no good, because (presumably) the special characters caused some kind of problem. Super-long alphanumeric was fine.
I fixed the insecure method of updating credentials I used in this blurb yesterday. Now it's basically a one-liner, and it's not writing passwords to files.
Wrote this little tidbit because I spent far too long looking through complicated scripts for what should be a simple task.
LAPS. Learn it. Deploy it. Be happy.
Does anyone have a good link for how certificates work? I come across a lot of people who think they're black magic. I want to be able to give them some info to explain it.
Any suggestions on links/resources/presentations would be appreciated.
I found this one that seems ok as a start: https://blogs.msdn.microsoft.com/freddyk/2017/02/06/ssl-certificates-101/
I saw a novel way to calculate the Nth *day of the month, I decided to make it a more generic function.
Can we all agree to focus more on RCEs than local-only exploits? That's not to say that local-only things don't need fixing, but let's focus on the bigger issues.
I'm sick of hearing about Spectre/Meltdown (and variants) being the end of the world. Let's fix them, but let's stop pretending they're the most critical issue out there.
I've complained about systemd before, but this talk gives excellent perspective. Doesn't explain the security complaints, but still good perspective.
This is old, but it brings up a question.
How much of "good security practice" is just not being completely stupid? 90%? 95%?
We all know 2FA is important, but the type of 2FA matters.
In honor of @jerry, here's the July MS patch truck. Again.
Metadata updates, re-issues...I'm a little sick of trying to keep up with this shit-show.
Jack of all trades sysadmin (primarily Unix) with interest in security.
A Mastodon instance for info/cyber security-minded people.