#qi-hardware IRC log for Saturday, 2013-11-09

wpwrakbwahaha: http://mobile.reuters.com/article/idUSBRE9A703020131108?irpc=93201:38
wpwrakbut let's rewrite this as "identified, questioned and ... terminated with extreme prejudice" ;-)01:39
whitequark> If you've been cleared and especially if you've been polygraphed, you're an insider and you are presumed to be trustworthy08:41
whitequarkpolygraphed. yeah. because that means something. :/08:42
wpwrakperhaps a security clearance shouldn't only involve background checks, polygraph, and all that, but also an IQ test ...08:46
wpwrakor maybe it is that their internal bureaucracy is so horrible that sharing passwords is part of the daily routine just to get things done08:46
whitequark(IQ test) not higher than X? :)08:50
wpwrakyeah, finding the right range may be tricky :) make them too smart and you get a lot more snowdens :)09:03
kyak"They have emphatically denied that he provided any classified material to countries such as China or Russia."09:08
kyakoh, that's really important!09:09
kyaklike, yeah, we fucked up, but not that bad!09:09
kyaki wonder, how many of these 25 employees were women?09:12
kyakhe good!09:12
larscwell, the trick to get passwords is to not just outright ask for them, but let the person come to you with a problem (which you might have created), and then say in order to fix the problem you need to password09:15
larscor something like, 'It will at least take two weeks to restore your E-Mail access' 'Isn't there a way to speed this up' 'Yea, but it's not exactly by the book' ...09:17
kyakyou sound like an experienced social engineer :)09:18
larscI think that's elementary stuff09:19
kyakfor an experienced social engineer, yes ^) but not for those 25 employees09:22
wpwrakwe worked as an admin, so people may have come to him with problems on a regular basis09:32
wpwrakbut still, you'd expect that proper password procedures would be about the first thing they teach people at this sort of places09:32
wpwraks/we /he / # oops, now i'm on their list :)09:34
larscbut not giving him the password would be like saying 'I think you are up to something.'10:02
larscand that would be rude since he offered to help them10:03
whitequarkwell, isn't that *why* you should not give people passwords?10:03
whitequarkbecause they well may be up to something.10:03
whitequarkand the help he provides is his job10:03
larscnah, but if you say something like I can restore your email account in two hours instead of two weeks10:04
whitequarkwell, there's a difference between rude and inconvenient to you10:09
larscwell the incovenience is another factor in that situation as well10:11
larscbut the basic situation you want to engineer is a situation where the person would feel unconmfortable not to give you their password10:14
DocScrutinizer05social engineering for noobs11:25
DocScrutinizer05that's really the 101 they teach you even in company wide security audits11:25
DocScrutinizer05or rather in preparation for...11:25
DocScrutinizer05the standard user has no idea why (s)he needs passwords at all, after all it's already HIM/HER who's sitting at the terminal and typing it, so why the additional hassle  ;-P11:27
DocScrutinizer05and admins considered almighty (which usually they actually are), so all a user might wonder is "why he even needs my password? I'd hope for him to tell *me* my password once I forgot"11:28
DocScrutinizer05tried to suggest a good read, but you don't like the bot, so google for it!11:30
wpwraklarsc: all very well, but don't forget that this is an area where people have all sorts of security clearances, operate on a need to know basis, where access is compartmentalized, and so on. being paranoid is their foremost obligation.12:29
wpwrakDocScrutinizer05: bofh, the great classic ;-)12:30
DocScrutinizer05sure ;-)12:31
DocScrutinizer05you can learn a lot about social engineering from it12:31
wpwraklarsc: that doesn't mean that there can't be a few gullible victims. but that he can go through "20-25" people, who all have elevated access privileges, and that doesn't even raise any suspicion is more than surprising.12:32
wpwraktheir default attitude should be "you don't need to know my password and i'll inform your superior". now, he may be able to worm his way around the latter "oh, sorry, i'm new here, we always did that at my old job" etc. but the odds should be heavily stacked against this sort of stunt.12:34
wpwrakof course, if it turns out that some did inform on him and his (NSA) supervisor didn't pay attention, then i wouldn't want to be in his skin :)12:36
DocScrutinizer05now you got to the fun aspects of my daily duty as maemo admin superviser ;-P12:37
wpwrakare the maemo admins leaking lots of dirty laundry labeled "top secret" ? :)12:39
DocScrutinizer05or should I say senior admin and coordinator?12:40
DocScrutinizer05nah, only handling a database with ~90k valuable user data12:40
DocScrutinizer05and all that without any paperwork that would establish any form of liability12:41
DocScrutinizer05since, you know... community12:41
DocScrutinizer05you can't even dream of the flames I receive sometimes12:41
wpwrakthe more informal, the better the flames ;-)12:42
DocScrutinizer05you can't fire volunteers12:43
DocScrutinizer05and some you can't even kick since otherwise community will kick you12:44
DocScrutinizer05one dude already asked Hildon Foundation to expel me from maemo admin since I dared to overrule him on a security issue12:45
DocScrutinizer05where my decision was to the safe side12:46
DocScrutinizer05while the dude was rushing all over our infra, abusing his privileges and not communicating what he does, and opened up security bandaid blocks we established when we found a massive vulnerability12:47
DocScrutinizer05particularly he re-enabled login to maemo midgard when all users had admin permissions on midgard due to a config fsckup12:48
wpwrakwell, let him run wild for a while, let him build up a reputation of being an asshole. wait until he makes a big mistake. then pounce :)12:48
DocScrutinizer05he DID make a big mistake, I blamed him in closed channel and when another honorable guy asked him to chill a bit he ragequit and never been seen again12:50
wpwrakand always remember, there is the common sociopath, there are big sociopath, and there are efficient sociopaths. you want to be the latter :)12:50
DocScrutinizer05hi dos112:50
wpwrakDocScrutinizer05: (ragequit) perfect. so it worked as planned :)12:51
DocScrutinizer05basically yes12:51
DocScrutinizer05for sure I'd rather see him adjust his attitude and behavior12:52
DocScrutinizer05particularly since he been partially quite knowledgeable12:52
DocScrutinizer05but he been unable to grok the principle of limited permissions12:52
wpwraksome people are just looking for a fight. better to be rid of them.12:53
DocScrutinizer05he was looking for proving own awesomeness12:53
DocScrutinizer05by doing everything on root permissions without peer review or any feedback or permission12:53
DocScrutinizer05no team player12:54
dos1DocScrutinizer05: hello!12:54
DocScrutinizer05wpwrak: basically he maintained a 12VM server infra with 90k users and 10 admins like his own PC at home12:55
DocScrutinizer05nobody had (or has) a friggin clue what he did, or why12:56
wpwrakah, now i see why you'd have liked to keep him. someone who single-handedly juggles 12 servers is hard to find.12:56
wpwrakyeah, that's the normal case with those guru admins12:56
DocScrutinizer05so in the end we are better off without him12:57
DocScrutinizer05I told him "you're not supposed to do this. It's an abuse of your privileges, and it's a mega security breach opening up a huge (and known) vulnerability. Please INSTANTLY revert what you did - whaever it been - then reboot the machines where you did changes! INSTANTLY, NOW!  THEN we discuss the issue" - he answered by calling me names13:00
DocScrutinizer05when *I* did what I asked HIM to do, he asked for my expel13:01
rohsomebody who takes user data privacy not serious should be sued, not hired.13:01
DocScrutinizer05roh: the problem is: we don't hire in community, we don't have funds to hire13:01
rohDocScrutinizer05: doesnt matter.13:01
rohthe law doesnt differenciate if you get money or not for doing the work. either do it properly or gtfo13:02
DocScrutinizer05well, he's gone and his accounts blocked13:02
DocScrutinizer05my mistake - I thought the dude was susceptible to good reasoning and policies to agree upon13:03
DocScrutinizer05it turned out he wasn't13:03
DocScrutinizer05he received root permissions under the policy to NOT abuse them for ANY editing13:04
DocScrutinizer05since our infra been fsckdup in that regard back when13:05
DocScrutinizer05(no ACL for example)13:05
DocScrutinizer05he abused those permissions in best intent to "fix stuff", but the way he did been causing more havoc than good13:06
Chuck174if i have 2x4gb ram , should i add my older ram(2x2gb) in the other slot?19:28
--- Sun Nov 10 201300:00

Generated by irclog2html.py 2.9.2 by Marius Gedminas - find it at mg.pov.lt!