Group Details Private

Service Providers

People who work for a technology service provider.

  • RE: New customer - greenfield setup

    If this was a medical office, as an example, imagine if a client claimed that security had been compromised. Any investigation would quickly turn up that the end to end encryption rules were violated and that the office had intentionally removed encryption and exposed the data and had an opportunity for people, anyone with access to the firewall, to extricate it outside of the known controls.

    While unlikely to be the actual source of a breach, in court it would really only need to be shown that the data was voluntarily exposed and that would be enough for damage to be done. But if you did want to steal HIPAA data, this is exactly the kind of exposure point you'd hope for. Especially as a great many firewalls that offer this have backdoors or weak security that would normally border on being useless when used properly, but when configured as a trusted man in the middle means you have a way to siphon out the data without detection after the network monitoring controls are already past. Nothing on the network would be able to detect large volumes of data flowing out as it was flow out from the outside interface of the LAN only.

    posted in IT Discussion
  • RE: New customer - greenfield setup

    @dave247 said in New customer - greenfield setup:

    @scottalanmiller said in New customer - greenfield setup:

    @dashrender said in New customer - greenfield setup:

    Of course it's really only worthwhile where we can do SSL inspection (can this be down without installing certs on the clients to allow MiTM inspection?)

    Nope, that's physically impossible. These types of devices I see as reckless because they are often poorly maintained, often made by questionable vendors (Sophos is fine, but many others are less respectable) and provide a single point of total egress of your data with nearly all assumed protections removed.

    Hey Scott, can you elaborate a bit more on that - I'm talking about the recklessness of SSL inspection. I ask because my company has a Sonicwall NSA appliance and in the past I have attempted using the "DPI-SSL" feature (deep packet inspection) which required installing the Sonicwall cert on all systems and then the traffic would be intercepted and inspected. Despite me following their guide and applying the correct settings and site exceptions, I still had some issues and ended up scrapping the effort for now. I already know your opinion on Sonicwall but I just wanted to get more insight into the whole deep packet inspection effort.

    So my issue with that is that it "breaks" the entire security chain. The idea behind the certificate system is that your traffic is encrypted end to end. By adding a man in the middle there is a time when the traffic is not encrypted, but both the browser and the server believe that it is.

    If everything works as expected, this is fine because we trust the man in the middle, in this case. But that's asking a lot of "another system" to be completely trusted.

    In reality neither of the end points truly trust the man in the middle. The "firewall" isn't a friend here, it's in the path because it already distrusts both end points. So trust is not really appropriately at play here.

    On a technology side, this adds an extremely high profile target that is rarely secured close to as well as the server or the workstations are. Traditionally firewalls were an extra layer of security, rather than an extra layer of risk. A compromised firewall meant that you lost a layer of defense, not that the firewall represented a bypass to existing security measures as well. So this ends up being a lot like a VPN, everyone says it's for security, but as used it is nearly always a huge risk because risk is extended rather than the tool being used to lock it down more.

    So both hard technical by adding a huge point of exposure and for bypassing existing controls; and soft technical by putting the most critical point of exposure where network admins tend to understand it the least and where politics tend to keep it from getting properly maintained.

    Then comes liability. Legally you can use this in most circumstances. But only most. I would never use this without my legal team signing off on it. Because you are hijacking encrypted data mid-stream that is meant to be trusted you risk both political fallout (customers, vendors, etc. being angry or going public that data may have been hijacked - possibly without consent) and legal fallout (if this is discovered and HIPAA data was in flight, for example, it technically violated any end to end encryption laws or requirements.) Knowing decrypting network traffic midway carries a lot of risk and you really need to understand the legal or business risk to all of the traffic. It's not something you can just do and not worry about.

    As a business owner, never ever would I take that risk. Huge risk, no real value to doing so. I'd have to be a seriously emotionally driven control freak to consider doing something like this.

    Which brings the final problem with it... a tool like this would not be made by or deployed by those who value security. So if you have a vendor making these tools, or you have management demanding these tools, you have people who are prioritizing control or the emotional perception of control above business interests and security. Sure, a vendor like SonicWall is just catering to their client base. To them it is a good business decision, but that decision is to allow their customers to undermine their own security. So from a security perspective, this goes against all common sense and otherwise stated practices.

    As an aside, IF something like this was ever warranted, it should never be put on the firewall but run in a VM like any other production workload. That people put it on the firewall instead shows how little security thinking is involved when these products are discussed. There are better ways to do this if someone actually intended to do it in a good way.

    posted in IT Discussion
  • RE: Gaming - What's everyone playing / hosting / looking to play

    Liesl and i are playing through Mass Effect Trilogy again. Legendary Edition this time.

    posted in Water Closet
  • RE: Staying at your shitty employer is your fault

    @dashrender said in Staying at your shitty employer is your fault:

    @scottalanmiller said in Staying at your shitty employer is your fault:

    @dashrender said in Staying at your shitty employer is your fault:

    @flaxking said in Staying at your shitty employer is your fault:

    GitLab used to have a calculator public to see how much you would get paid, but they had to take it down due to external pressures.

    One of the issues with posting something like that, is that everyone in that specific role is basically making the same - there's on incentive to do better in that job. At least that's the excuse I hear...

    But there are incentives to move to locations that don't cost you so much, but cost the employer more. Lots of "gaming" of that system to be done.

    This assumes either - you have to move before getting the job or that the company will change your pay after you move there.

    As mentioned by @flaxking, where ever you want to live might not be a geographic area the company wants people.

    Still gamable no matter which method they go with. None of it supports business processes.

    posted in IT Careers
  • RE: What Are You Doing Right Now

    @jaredbusch said in What Are You Doing Right Now:

    @scottalanmiller said in What Are You Doing Right Now:

    Ugh, stupid ML update issues tonight. But it is back now.

    I had a minor issue upgrading mine the other day, but that is because I am sitll on CentOS 7 and having issues due to old versions.

    Wasn't a NodeBB issue directly.

    We are on Ubuntu here, but it was a mix of NodeJS and NodeBB issues.

    posted in Water Closet
  • RE: sending custom CDR from FreePBX

    @dashrender said in sending custom CDR from FreePBX:

    @wrcombs I actually want HTML - that tag you mention is meant to tell the browser to display the contents as HTML content, not Text content.

    MySQL does not output HTML with a standard select statement. So you are counting on the mail command to insert it.

    The raw text look like this.
    ffb4ede0-9098-4c40-96d2-985b0466c5d4-image.png

    That is what is being piped to your mail command.

    posted in IT Discussion
  • RE: What Are You Doing Right Now

    @scottalanmiller said in What Are You Doing Right Now:

    Ugh, stupid ML update issues tonight. But it is back now.

    I had a minor issue upgrading mine the other day, but that is because I am sitll on CentOS 7 and having issues due to old versions.

    Wasn't a NodeBB issue directly.

    posted in Water Closet
  • RE: What Are You Doing Right Now

    Ugh, stupid ML update issues tonight. But it is back now.

    posted in Water Closet
  • RE: Staying at your shitty employer is your fault

    @dashrender said in Staying at your shitty employer is your fault:

    @flaxking said in Staying at your shitty employer is your fault:

    GitLab used to have a calculator public to see how much you would get paid, but they had to take it down due to external pressures.

    One of the issues with posting something like that, is that everyone in that specific role is basically making the same - there's on incentive to do better in that job. At least that's the excuse I hear...

    But there are incentives to move to locations that don't cost you so much, but cost the employer more. Lots of "gaming" of that system to be done.

    posted in IT Careers
  • RE: How to tell Yealink phones to upload user changes to the FreePBX provisioning directory

    If you upgrade to FreePBX 16, the script handler needs updated to reflect PHP7.

    The git repository is updated, but if you have an existing install, this will fix it for you

    sudo sed -i "s/php5/php7/" /etc/httpd/conf.d/yealink.conf
    sudo systemctl restart httpd
    
    posted in IT Discussion