PD.com: We occur at random among your children.
Started by POFP, July 21, 2019, 05:16:27 PM
Quote from: P3nT4gR4m on July 24, 2019, 04:55:52 PMDunno about security but fuck me did I just serve 6 months in what felt like a - how not to infrastructure - case study. The guys who bought us out are running a f'kin foxpro admin system that looks like an out of date warehousing/logistics solution, poorly modded for RIM functionality.Okay so it's archaic and clunky as fuck but so are a lot of things in this field. Budget aint what it used to be and it can be hard to convince the board that we need something new when what we already have is doing the job, right?Okay, fair enough but which fucking idiot thought it would be a good idea to serve it over MS RDP in some kind of twisted homage to the 90's thin client craze? So now these guys are wondering why there's smoke pissing out the back of their server every time they turn it on an five hundred users ask for sessions.I'm guessing the same idiot decided it was a good idea to stick the database on the same box, cos fuck if I haven't got anything better to do than wait one minute and thirty seconds for a hundred-odd work orders to appear on my screen.The icing on the cake was when tech support sent out an email about a planned server reboot TEN FUCKING MINUTES before they took it down! Surprise surprise, rebooting didn't fix their 90,000% load issue but it did stop us servicing any orders for the best part of twelve hours. Bear in mind this company is the success story, their acquisition strategy is one per month and they're trying to increase this to two. Fuckers are so backlogged it took three months for them to even email me about data transfer. I can't complain, just picked up half a years salary for an hour and a half's work.And they still managed to arsehole the transfer. Kinda guessed they would when, two days before I pulled the plug on my side, I was getting emails asking what all my fields did. Security? At a guess there is none. AD group policy certainly wasn't the slightest bit concerned when our AV cover ended. The application they're using is essentially visual foxpro query builder, with a logo in the corner. That's right, end fucking users are writing SQL. Can't imagine anything going wrong there. Lets hope they've locked down Drop statements. I didn't have the heart to check.
Quote from: nullified on July 24, 2019, 06:54:10 PMWelcome to normal computer security.What I didn't mention about that life insurance company is that they were one of the smarter ones I've heard of.Yes, penetrating their network was as simple as logging into the unsecured root user. But their intranet wasn't connected to the internet, even indirectly, and so an attacker would need to get physical access to a machine. At a life insurance company, that's hard to do, because there's very little chance you'll be left to hang out in an office for long enough to do anything more than get caught red handed.They did have an Internet-connected network, and that was all Windows machines — cue the cold shudders — but they were all employee owned machines, laptops, and I believe legally they can't put customer information on employee owned machines. So, all told, that's actually a lot better than what the norm is.Read through Troy Hunt's blog sometime, the Security tag. It's illuminating: gigantic companies throwing plaintext passwords around. Enumeration attacks possible without authentication. Ridiculously basic shit left wide open.
Quote from: PoFP on August 04, 2019, 04:34:03 PMMe: Hey Bob, when does [redacted] want their new POS Image? Isn't their Pilot coming up soon?Bob (PM): They plan to go to Pilot with their current image. They will need the new one for testing of MariaDB, very soon, though. Me: OH SHI- They're currently running a LAB image with no security constraints for ease of use. That image is WIDE OPEN to attack.Bob: OH SHI- Let's get them on a call!We get them on a call the next day, and I get put on the spot for a delivery date for the new image. I mostly had the image prepared from a month ago, minus the documentation and some minor optimizations for easy switching between RDBMSs, so I said I'd get it to them the next day. But it's still a bad idea to give a customer a 1 Day expected turnaround date, no matter how much you think you have to do. I regretted it the moment I said it.Anyways, I had a lot more work cut out for me than I realized when I went back over the image, so I spent 18 of the next 24 hours finishing the damned thing. Got it delivered ontime the next day with a lot of the changes mentioned here.Bob (After a half hour after delivery of the image with complete documentation written from scratch): We're having a Field Leadership Meeting with the customer on the 18th. Would you like to come with the Product Director, CTO, Sales Director, and I to show off the Product and your deployment system to the customer's highest ranking Field and Corporate Executives?I am fucking ecstatic. I'm finally getting the internal influence and recognition I've been working 50 hour weeks for for the last year. I went from working at a call center doing Level 1-3 App Support to being hired on and then promoted to Senior Technical Consultant after only a year. And now I'll be involved in executive meetings with one of the largest, high-profile retailers in the US.