Gotta love these kind of news. There’s always these hypothetical discussions of clouds being insecure and companies generally just ignore that, because clouds are theoretically, sometimes cheaper.
And then every now and then, half the internet leaks out of one of these clouds and everyone’s like, holy crap, and then companies go back to generally just ignoring that, because clouds are theoretically, sometimes cheaper.
Unfortunately nobody in charge has seen consequences for their decision to save a few theoretical nickels, so far. But then again, a lot of software/IT related stuff would look completely different, if anybody did.
Yeah, with the GDPR, you could theoretically get sued for using inappropriate technologies, but unless a proper expert committee officially declares Azure et al unsalvagable, you can always say, you thought you were using safe technologies.
I do not think anyone belive clouds are cheaper. For a stable workload probably 2x as expecive. Especially when you also count the new finops department you need to know what you are actually paying for in the cloud.
What cloud do give is virtualy infinite capacity, infinite scale out performance, instant availabillity and scaleabillity up to a global presence, no up-front cost, no tear down cost, bragging rights, no long running contracts and api’s for EVERYTHING.
Let me add another important point: outsourcing responsibility. In case of a data breach, you have someone to sue and you don’t need a whole internal team to be up to date on the latest security topics. Instead, they just have to be able to manage the web interface (not saying that is easy, just less subject to changes)
Given the average company I believe the cloud being more secure, of course they can shoot themselves d in the foot in the cloud as well but that wouldn’t be the cloud being insecure. The cheaper part… not sure if I would agree, it is more simple and easier to manage than your own physical hardware and all that entails, unless you require very little, that’s for sure.
The exposed data included backups of personal information belonging to Microsoft employees, including passwords for Microsoft services, secret keys, and an archive of over 30,000 internal Microsoft Teams messages originating from 359 Microsoft employees.
In an advisory on Monday by the Microsoft Security Response Center (MSRC) team, Microsoft said that no customer data was exposed, and no other internal services faced jeopardy due to this incident.
What’s even more ironic is that we basically don’t need human data anymore to create AI that classify objects or detect their boundaries. With algorithms like DINO we don’t even need labeled data at all, you just throw images at it and it learns on its own.
Google spent all this time collecting data through CAPTCHAs to train AI and now it might as well be obsolete.
Have you de-Googled or something? They only really nail you when you don’t have a signed-in Google account with real-world web usage, particularly if your connection originates from a flagged IP.
I get it a lot when I’m using our work VPN (which shows up as an AWS IP address). I guess if you’re using a VPN or a less reputable ISP you’ll probably get stung more often.
They are broken because AI is better at solving these capthcas than humans. They are only stopping those spammers who can’t afford a gpu to break these catchas
Correct. If using actual pki with a trusted root and private CA, you’re just fine.
I took the statement to mean ad-hoc self-signed certs, signed by the server that they are deployed on. That works for EiT but defeats any MitM protection, etc.
I use self signed certs for thinclient authentication. Generate self signed cert, load into AWS workspaces, sign device certs with root, and only machines that have the cert installed and pass the username password prompt will get through the AWS service broker. I can't see how using a CA signed cert helps me in any meaningful way. If I lose trust in the cert, I revoke it myself from the service.
Use of a CA (private CA would be my thought in this case) gives you greater ability to manage certs without needing to manually revoke and the ability to verify authenticity. You’re already doing most of the work to run a private CA, TBH. Just, instead of signing from the machine, you add your private CA’s intermediate cert to the trusted CAs on your hosts, and generate CSRs on your new hosts for your CA to sign.
Signing from the machine that uses a cert gives it greater authority and increases the “blast radius” if it gets compromised.
I do have a private ca service running on an internal ec2 instance, but all the AWS workspaces broker checks is if the device cert being passed by the thinclient was signed by one of the two signing certs you've loaded into the service, so the private ca itself still doesn't manage revocation in this case.
I do appreciate the suggestion. My main goal in sharing this use case was to show folks that there are many places certificate are used that let's encrypt isn't geared up to solve. Other examples are things like signing Microsoft API requests, etc.
I didn’t say anything that disagrees with this. CAs are nice and convenient. They do this by expanding the chain of trust to a lot more people, hence making them less secure.
Sure if you can’t securely manage your cert, that’s a problem. But that doesn’t mean let’s less secure
At the point of running your own CA with infrastructure in place to support it, I wouldn’t really call that “self signing.”
I get that it technically is, since you’re not going through an external CA, but really it’s like calling a companies Datacenter “self hosted” because it’s on their own hardware. Technically the truth, but not what is generally meant. 😜
Windows can go fuck itself, I’m sick of their shit. Teams kept opening links in Edge even though it’s not my default browser. Found out that Teams specifically has a setting to ignore the default browser and use Edge anyway. The fuck is that about?
Then I wanted to turn off the web search in the Start menu and I had to do a fucking RegEdit! They’re making it more and more complicated to not use their services, where’s the anti-trust regulations when you need them?
This is the norm. They have settings in Group Policy for a lot of this (sans the teams opening in edge, that is absolutely utter horseshit).
The regedit you did (and most regedits to “fix” stupid default settings) is a manual version of the GP setting to just disable web search in the start menu.
If you don’t use Windows with a Pro license, and you stay with Windows, next time buy a Pro license from a bulk OEM Pro License seller for cheap (or look up the latest way to spoof licensing and get it for free), and get access to Group Policy. It’s effectively Control Panel/Settings menu on steroids for corporate sysadmins.
I swear that 80% of peoples complaints with Windows can be handled with Group Policy. Shit that it’s locked away from the average user, but the average user literally can’t tell the difference between web browsers if you make the shortcuts have the same icon.
I swear that 80% of peoples complaints with Windows can be handled with Group Policy.
One shouldn't have to go into the Group Policy screens just to restore basic functionality like 'use my default browser' and 'stop searching the web when I am searching my computer' and 'stop sending all my actions to your servers'. There is a reason people have been telling others to use Linux, rather than continue to put up with Microsoft's crap.
Install Pro or Enterprise, or Tiny10 and then go here and run the Power Shell script: https://massgrave.dev/
And choose the first option. Takes a minute but then you'll be fully activated. If you don't trust the script, download it and check it yourself.
Then you can use the Group Policy editor to turn a bunch of crap off that Home users aren't allowed to. I use Winaero Tweaker to edit all these things with a UI. It works even on the Home edition except for the few settings that require the Group Policy.
I use VirtualBox right now. My daily driver windows 10 guest is so slow, that pushing the start button comes with a 20s wait. Looking at the performance monitor while this is happening, nothing pops outs as the culprit. Plenty of resources left.
I’ve always sworn to VirtualBox, but I’m going to ask my boss for a workstation pro license next time I see him.
I can relly recommend proxmox. Some years ago we switched from a 60.000€ dell VMWare Storage/Server-Setup to a three Host proxmox Setup for about half the price (to be fair, add 5-10k for Setup for our local Linux Team because we did not know much about proxmox). Mainly because we were able to place one of the Hosts in our Warehouse (connected with 10g Fiber) so there theoretically will be no harm to our production in case of water/fire/whatever in the server room because the one system can instantly take over (after some learning it works Like a Charm). I had some concerns regarding ceph, but for us it has proven Rocksolid, even while we had some real weird Switch issues it always recovered fast and without issues as soon as the connection was there. A big issue were the licensing terms for Microsoft products because with three amd-systems you have a lot of cores to buy licenses for - so we had a good excuse to substitute and cut out some products that only supported Windows environments.
I am so glad that Microsoft always tells the truth so we can just take them at their word. It would be totally different if they had a history of lying and doing shady stuff.
We gotta give them a reason to care before they will do anything about it. How many companies have suffered major data breaches over the past 5 years with basically no consequences?
I can, but it would take a lot of effort to do so. I will look into it, but a lot of my video games still rely on Windows. However, for MS to change and care it would require a mass exodus on the corporate level, which will never happen.
It’s far less common than linux oses… In any type of servers, including data storages. It is THE major target because it is a bad OS, nowadays primarily used by companies that haven’t a good IT for file shares used by tech illiterates easily victims of social engineering attacks. It’s a explosive combination that results in that stat… Practically 100 % of successful ransomware attacks on servers is on windows servers, despite overall being much less used than competitors
A fellow had just been hired as the new sysadmin of a large high tech corporation. The sysadmin who was leaving met with him privately and presented him with three numbered envelopes. “Open these if you run up against a problem you don’t think you can solve,” he said.
Well, things went along pretty smoothly, but six months later, there a major DoS attack against the infrusture and he was really catching a lot of heat. About at his wit’s end, he remembered the envelopes. He went to his drawer and took out the first envelope. The message read, “Blame your predecessor.”
The sysadmin went to his superiors and tactfully laid the blame at the feet of the previous admin because of bad security. Satisfied with his comments, management responded positively, he sorted it all out, got the servers running again and the problem was soon behind him.
About a year later, the company was again experiencing a major outage, combined with serious hacking problems. Having learned from his previous experience, the sysadmin quickly opened the second envelope. The message read, “Blame the cloud hosts.” This he did, and the company quickly rebounded.
After several consecutive months of no downtime, the servers once again acted up. The admin went to his office, closed the door and opened the third envelope.
They do that on their own. VMWare would blow up every deal we tried working with Dell, and our account reps told us everyone in Dell despised the VMWare account teams. The company that struggles to make a shit that doesn’t suck?
And that’s why we’re switching to OpenStack next year…
Informative article but it meanders about for way too long.
In some circumstances, Windows resets its clock based on the ServerUnixTime field of incoming TLS handshakes, for reasons that are not completely clear
OpenSSL puts random numbers in ServerUnixTime
Problem!
Disable via HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeSecureTimeLimits
Their official advice is to disable STS when using NTP.
As for the explanation, I think it was just an example of bad decisions compounding on themselves.
Oh no, it’s difficult to sync time because the secure communication layer doesn’t work when our time is already out of sync. That’s okay, we’ll use a totally other dubious mechanism instead of fixing that.
Oh no, the dubious mechanism is giving us bad results sometimes. That’s okay, we’ll introduce weird heuristics to attempt the impossible problem of determining whether the dubious mechanism’s output is trustworthy.
Oh no, the heuristic fails sometimes. That’s okay, “We agree that the overall direction of technology with the adaption of TLS v1.3 and other developments in this area could make Secure Time Seeding decreasingly effective over time, but we are not aware of any bugs arising from their use. This technology direction also makes heuristic calculation of time using SSL/TLS far less attractive when compared to deterministic, secure time synchronization.”
Sysadmin
Top