• 4 Posts
  • 771 Comments
Joined 1 year ago
cake
Cake day: June 7th, 2023

help-circle





  • Na, my experience is that Defender is fine with users downloading browsers and “updates” from random Russian sites. It’s happy to let the users install that software and only bothers to log a “hey, maybe this was bad” alert some time later. Edge, on the other hand, loses it’s shit when you visit the official download sites for Chrome or FireFox.



  • I’m still hoping that the somewhat irrational anger towards “AI” stuff subsides

    I think this anger is linked to the irrational exuberance for “AI”.

    Personally, I kinda hate AI. Not because of any sort of fear of job loss or anything like that. It’s because “AI” has been rolled out heavily in the Cybersecurity space, making my work life hell because of it. Models are only as good as their training and this means that any AI model which is going to spot anomalies in a network needs to spend a good amount of time being trained. However, what the vendors sell are touted as unsupervised models. They just need to spend a while on your network and they can automagically learn what “normal” is and then alert you on “abnormal”. This ignores the fact that you still need your analysts chasing false positives constantly from this black box. And that “black box” aspect is a major problem. You’ll get an AI/ML based alert with exactly fuck all in detail on why the alert triggered. If you’re lucky, you might get a couple log entries along with the alert, but nothing saying why those entries are suspicious.

    I will grant that, there are a few cases where the “AI” in a product has worked. Mostly, it’s been in language processing. Heck, having an AI half-write a function for you in a tool you don’t use very often is quite nice. You almost always need to rework the results a bit, but it can get you started. But, my first question for any vendor talking about “AI Detections” is “how do we tune false positives?”. It’s just too big of a headache. And most of them try to downplay the need or dodge the question. Or, you have to babysit the model, effectively making it a supervised model. Which, fine. Just stop telling me how much time it’s going to save me, when I’m going to spend more time supervising the model than searching for threats in my environment. And, for fucks sake, design that shit to explain itself.

    As for putting AI in my system. I can see a use case for language processing. Heck, I’d love to have the Star Trek style, “hello computer…” type stuff actually work worth a damn. Google and Siri are pretty close, though even those can be shit on toast when trying to do anything slightly complex. And having all that done locally, without having to send data “to the cloud” sounds great for privacy and security (until MS adds a keylogger as part of the OS). But, given how much time my GPU sits at or very near idle, I do wonder if the extra chip is worth the silicon or space.

    In the end, I’m expecting this to go much the way TPM has. We’ll all end up with it in our systems, whether or not we know, care or use it. All because manufacturers just start soldering it on to everything. Maybe someone will find a good use for it eventually, distributed AI porn, maybe? But, like a lot of AI, it seems like a solution in search of a problem.


  • BLUF: It’s been a mixed bag, but I would call it “worth it”.

    I’ve used Ubuntu a bit before. That’s what my home server runs on and has for years. Granted, most of it’s functions live in Docker containers. I also used both Debian (via Kali) and Ubuntu at work (yes, I know Ubuntu is Debian based, but it’s also big enough to have it’s own dedicated ecosystem). I work in Cybersecurity and use Linux based tools for image acquisition, digital forensics and data recovery. Kali makes for a great “it just works” system to validate vulnerabilities and poke at a network. And, between a lot of tools targeting Ubuntu and frameworks like SANS SIFT, Ubuntu gets used a lot. I also supported several Red Hat based servers at work for various tools. I’m far from an expert on Linux, but I can usually hold my own.

    In a lot of ways, Arch wasn’t an obvious choice for me. And I seriously considered going with Ubuntu (or another Debian based OS (e.g. PopOS)) at first. It’s worth mentioning that my primary use for my desktop is video games. So, that heavily effected my choices. That said, the reasons for choosing Arch ended up being:

    1. I have a SteamDeck and most of my games “just work” on it. With Arch being the flavor of Linux Valve is targeting, following their lead seemed like a good idea. I expected that a lot of effort to get games working on “Linux” would ultimately be focused on getting games working on Arch.
    2. I wanted a “minimal” system. I can be a bit of a control freak and privacy nut. I already self-host NextCloud, because I don’t want my pictures/data sitting on someone else’s computer. So, the “install only what you need” nature of Arch was appealing.
    3. I did do some testing of Ubuntu on my system and had driver issues (nVidia GPU) and some other problems I didn’t put the time into running down. In the end, it put me off Linux for a while before I came back to it and ran Arch.

    One of the things I did, which was really helpful, was a “try before you buy” setup. I was coming from Windows 10. And, as mentioned above, gaming was my main use case. So, that had to work for me to make the jump. Otherwise, I was going to milk Windows 10 for as long as possible and then figure things out when it went EOS. So, I installed Arch on a USB 3.0 thumbdrive and left my Windows OS partition alone. I also mounted my “Games” drive (M.2 SSD) and installed games to that. It was still NTFS, but that only created minor bumps in the road. Running that configuration for a couple months proved out that Arch was going to work for me.

    When it came time to fully change over, I formatted my Windows OS partition as ext4, setup the correct folder structure and rsync’d everything from the thumbdrive to it. So, everything was the way I’d had it for those couple months. I did have an issue that my BIOS refused to see the OS partition on the SATA SSD I used for my OS partition; but, that was MSI’s fault (I have an MSI motherboard). And that was resolved by changing where GRUB is located in my /boot partition.

    Overall, I’ve been happy with the choice I made. Arch hasn’t always been easy. Even the Official Install Guide seems to come from a RTFM perspective. But, if you’re willing to put the time into it, you will learn a lot or you won’t have a functional system. And you’ll end up with a system where you can fire up a packet capture and have a really good idea of what each and every packet is about. As for gaming, so far I’ve had exactly one game which didn’t run on Linux. That was Call of Duty 6, which I was considering giving a go to play with some folks I know. But, Activision’s Anti-Cheat software is a hard “no” on Linux. So, I had to pass on that. Otherwise, every game I have wanted to play either had native Linux support or worked via Proton/WINE.







  • Do you think it’s okay to not have an opinion on something?

    Yes, absolutely. There are enough issues in the world that you probably don’t know about a lot of them. And even once you are made aware of an issue, you likely don’t have enough information to form a well considered opinion. It’s also possible that you will never have enough information on an issue to have a well formed opinion. You only have so many hours in a day and, unless an issue impacts you directly, it’s quite possible that you just won’t have the time to put into it. There’s no reason to feel bad about this, the issues that are most important to me may not be the issues which are most important to you.

    How important is it to educate myself and ask questions?

    Very important. If you are going to have an opinion on something, you should try to have a basic understanding of the issue. You’ll never be an expert on everything; but, for issues which you truly care about, you should have at least a passing understanding of the subject matter. Also, asking questions is always good. If someone is trying to shutdown your asking questions, you should start questioning that person’s motives.

    Do you feel that pressure to have an opinion on everything?

    Nope. One of the big secrets of life is learning to set boundaries. Just because someone else is incredibly passionate about something doesn’t mean you need to be. Learn to tell people “fuck you and the horse that came on you”. If that bothers them, then that’s their problem, not yours. This isn’t carte blanche to be an asshole, you should still strive to be a good person and act in pro-social ways. But, it does mean that you can draw a line and not have to own everyone else’s problems all the time.


  • That sounds more like a feature than a bug. I remember when Twitter was actually useful. You could sort by “new” as the default and your feed only included stuff from people you followed. And then it went to complete shit with the sort defaulting to “fuck your preferences”, sponsored content and your feed being littered with click bait, paid content and all the other bits of enshitification. And that is all built on the algorithmic selection of content.





  • Step one, take a deep breath and realize that, unless you own the company, killing yourself to save it is dumb.
    That said, there are some things you can do to try and improve thing:

    Learn to “talk business”. Yup, this one sucks, but it’s also the only way you are ever going to get traction. Take that Windows 7 system, why do you want to upgrade it? “Because security”, right? Well, how does that translate into costs to the business? Because, businesses don’t care about security. I work in cybersecurity for a large (Fortune 500) company and upper management has given exactly zero fucks about security for a very long time. They only started coming around when that lack of security starting costing them real money. They still give zero fucks about security, but they do care about risks to the business and what that might cost them. Having security and money linked in their heads means we can actually implement better security. You need to put the lack of security of that Windows 7 system in terms of dollars potentially lost. Something like the Annualized Loss Expectancy. If that box gets popped, how much would it reasonably cost the business to recover from? Is that something which you expect to happen once a year, once every five years? These numbers will be mostly made up and wildly inaccurate. But, the goal is to just get in the right ballpark. How does that cost compare with the cost to upgrade? What about other possible mitigating controls you could use to protect it? Does it need to have internet access? Could you VLAN it off into it’s own little world and keep it running with reduced risk? Give management the expected costs of that system becoming patient zero in a ransomware outbreak and then give them several options and the associated costs (upfront and ongoing) to secure it. Have multiple options. A high cost one (e.g. replace the box), a low cost one (FW and VLAN controls) and the one you actually want right in between (OS Upgrade). Managers are like children, they need to feel like they made a choice, even if you steered them into it.

    Next, don’t try to boil the ocean. You’re not going to fix everything, everywhere, all at once. Get some small wins under your belt and prove to management that you aren’t going to break the business. Show that you aren’t just some greenhorn cowboy who is going to break the business because you think you are so smart. If you can make a plan for that Windows 7 system, show the costs involved and actually get the job done smoothly, then you might be able to move on to other things. Sure, you might actually be right; but, you could also end up breaking a lot of stuff in your quest to have perfect security (which you’ll never actually achieve). Take one one or maybe two things at a time. It’s a slow process and it leaves things broke far longer than you will like, but it builds trust and gets more action than just screaming about everything at everyone. Slow is steady, steady is fast.

    Moving on, be aware that you probably don’t know everything about the business, and the business functioning is paramount. Why does everyone have local admin? Because that’s the way it’s always been and it has always worked. If you start pulling those permissions back, what processes get broken? This is a tough one, because it means documenting other people’s processes, many of which probably only exist in the heads of those people. How often are people moving around critical files using CIFS and the C$ share. It’s fucking stupid, but there’s a good chance that the number is greater than zero. You pull local admin from people, and now work doesn’t get done. If work doesn’t get done, the business loses money. You need to have a plan which shows that you have considered these things. Design a slow rollout which phases local admin rights out for the users who are least likely to affect the business. Again, slow is steady, steady is fast.

    And thins brings us to another point, auditors are your friends. No really, those folks who come in and ask you where all your documentation is and point out every single flaw in your network, ya, they deserve hugs not hate. You’re in healthcare, where does your business fall on regulations like HIPAA (US-centric but similar regulations may apply in other countries)? 'Cause nothing says, “fuck your wallet” to a business quite like failing an audit. If you can link the security failures of the business to required audit controls, that’s going to give you tons of ammunition to get stuff done. I’ve watched businesses move mountains to comply with audit controls. Granted, it all becomes “checkbox security” at some point; but, that is vastly better than nothing.

    All that said, company loyalty is a sucker’s game. I’m guessing you’re early in your career and an early IT career likely means job hopping every 3 years or so. Unless you get a major promotion and associated pay bump in that time, it’s probably time to move on. Later in your career, this can slow down as you top out in whatever specialization you choose (or you get lured in by the siren song of management). So, there is that to consider. It might just be time to go find greener pastures and discover that pastures are green because the cows shit all over them. But, it can feel better for a while. Having your resume up to date and flying it out there usually doesn’t hurt. Don’t job hop too fast or you start to look like a risk (I stick to a 1 year minimum). But, don’t stick around trying to save a sinking company.

    Along with that, remember that you don’t own the company; so, don’t let it own you. When you get to the end of your day, go the fuck home. Don’t let the business consume your personal time in actions or thoughts. If they place burns, that’s the owner’s problem, not yours. Do your best while on the clock, do try to make positive changes. But, killing yourself to make the owner just a bit richer makes no sense. The only person who is ever going to truly have your best interests in minds is you, don’t lose sight of them. Say it with me, “Fuck you, pay me

    So, where to go from here? Well, you sound like you have a good plan at the moment:

    I am also looking into getting my Linux+ (currently only have my A+)

    Sounds solid. If you care about security, let me recommend poking your head into the cybersecurity field. I’m am absolutely biased, but I feel it’s a fantastic field to be in right now. Following up the Linux+ with the Sec+ can be a great start and maybe the Net+. The A+, Net+, Sec+ trifecta can open a lot of doors. And you now have some IT/systems background, which I always suggest for folks (I look for 3-5 years in IT on resumes). As a lead, I get to be in on interviews and always ask questions about networking, Active Directory, email security and Linux. I don’t expect entry level analysts to know everything about all of them; but, I do expect them to be able to hold a conversation about them.

    Good luck, whatever path you choose.