I've said it before, and apparently I'll say it again.

Security is...
1. ...like onions.
2. ...all about risk management.

Good security has layers - a single edge firewall protects against one attack surface...and leaves the rest wide open. AV, host firewalls, etc, all layers that add to overall protection.

Which layers do you need? Depends on the risk your devices pose. Database of PII/PHI? Damn right you need all those layers. Dev box? Maybe not.

CVE-2018-16864 : exploitable since 2016
CVE-2018-16865 : exploitable since 2013
CVE-2018-16866 : exploitable since 2015 ( but fixed by mistake on 08/2018 )

So:
- brick PC bugs ( EFI erase ) ✔️
- Many account of unbootable machines after an upgrade: ✔️
- Uncountable vulns since years ✔️

Seriously, what is gonna take for distro to finally put back systemdD(isaster) to the dump trash it belongs ??

Oh, and any linux distro lead willing to share the huge hush money they must have won to accept that utter shitty piece of trash in the first place ?

I don't see any other reasons now...

If your website has password complexity requirements...maybe you should actually TELL PEOPLE. Don't just fail and give a generic "Our site is broken" page.

I'm looking at you, GlobalKnowledge.

My randomly-generated password from my vault was no good, because (presumably) the special characters caused some kind of problem. Super-long alphanumeric was fine.

Just downloaded all my photos/videos from FB and fully deleted the account. Feels good.

Now that I think of it, I need to re-activate FB and download all my photos and such. I have too much stuff that I never saved anywhere else.

RIP RedHat.

What do enterprises use for Linux servers besides RHEL/CentOS. In my experience it's been by far the most common.

I fixed the insecure method of updating credentials I used in this blurb yesterday. Now it's basically a one-liner, and it's not writing passwords to files.

nointerrupts.com/2018/10/18/up

Wrote this little tidbit because I spent far too long looking through complicated scripts for what should be a simple task.

nointerrupts.com/2018/10/18/up

Every time I deal with WSUS/Windows Updates, I'm happier that yum/apt/whatever Linux package management exists.

Does anyone have a good link for how certificates work? I come across a lot of people who think they're black magic. I want to be able to give them some info to explain it.

Any suggestions on links/resources/presentations would be appreciated.

I found this one that seems ok as a start: blogs.msdn.microsoft.com/fredd

I saw a novel way to calculate the Nth *day of the month, I decided to make it a more generic function.

gist.github.com/jjbaumgartner/

I've decided I should do more writing/blogging. I think it would be good for my career in the long run.

Unfortunately, toddler + infant != free time.

Maybe one of these days...

Can we all agree to focus more on RCEs than local-only exploits? That's not to say that local-only things don't need fixing, but let's focus on the bigger issues.

I'm sick of hearing about Spectre/Meltdown (and variants) being the end of the world. Let's fix them, but let's stop pretending they're the most critical issue out there.

Sysadmins need a shirt reading: "I survived Patch Tuesday"

I've complained about systemd before, but this talk gives excellent perspective. Doesn't explain the security complaints, but still good perspective.

youtube.com/watch?v=6AeWu1fZ7b

This is old, but it brings up a question.

How much of "good security practice" is just not being completely stupid? 90%? 95%?

bleepingcomputer.com/news/secu

In honor of @jerry, here's the July MS patch truck. Again.

Metadata updates, re-issues...I'm a little sick of trying to keep up with this shit-show.

Infosec Exchange

A Mastodon instance for info/cyber security-minded people.