One chestnut from my history in lottery game development:
While our security staff was incredibly tight and did a generally good job, oftentimes levels of paranoia were off the charts.
Once they went around hot gluing shut all of the “unnecessary” USB ports in our PCs under the premise of mitigating data theft via thumb drive, while ignoring that we were all Internet-connected and VPNs are a thing, also that every machine had a RW optical drive.
Often times you’ll find that the crazy things IT does are forced on them from higher ups that don’t know shit.
A common case of this is requiring password changes every x days, which is a practice that is known to actively make passwords worse.
Or it prompts people to just stick their “super secure password” with byzantine special character, numeral, and capital letter requirements to their monitor or under their keyboard, because they can’t be arsed to remember what nonsensical piece of shit they had to come up with this month just to make the damn machine happy and allow them to do their jobs.
I do this in protest of asinine password change rules.
Nobody’s gonna see it since my.monitor is at home, but it’s the principle of the thing.
That’s super true, so many times to stay ISO compliant (I’m thinking about the lottery industry here), security policies need to align with other recommendations and best practices that are often insane.
But then there’s a difference between those things which at least we can rationalize WHY they exist… and then there’s gluing USB plugs shut because they read about it on slashdot and had a big paranoia. Lol
The DOD was like this. And it wasn’t just that you had to change passwords every so often but the requirements for those passwords were egregious but at the same time changing 1 number or letter was enough to pass the password requirements.
For our org, we are required to do this for our cybersecurity insurance plan
Tell them NIST now recommends against it so the insurance company is increasing your risks
The guideline is abundantly clear too with little room for interpretation:
5.1.1.1 Memorized Secret Authenticators
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
Took away Admin rights, so everytime you wanted to install something or do something in general that requires higher privileges, we had to file a ticket in the helpdesk to get 10 minutes of Admin rights.
The review of your request took sometimes up 3 days. Fun times for a software developer.
I too know this pain
Oh shit, you just reminded me of the time that I had to PHONE Macromedia to manually activate software because of the firewalling. This was after waiting days to get administrative permission to install it in the first place.
“Thank you” for helping resurface those horrible memories!
I don’t miss those days.
We used Intune Portal for a list of approved desktop apps
Banned open source software because of security concerns. For password management they require LastPass or that we write them down in a book that we keep on ourselves at all times. Worth noting that this policy change was a few months ago. After the giant breach.
And for extra absurdity: MFA via SMS only.
I wish I was making this up.
Do you work for a government?
Banning open source because of security concerns is the opposite of what they should be doing if they care about security. You can’t vet proprietary software.
It’s not about security, it’s about liability. You can’t sue OSS to get shareholders off your back.
Hasn’t made life hell, but the general dumb following of compliance has left me baffled:
- users must not be able to have a crontab. Crontab for users disabled.
- compliance says nothing about systemd timers, so these work just fine 🤦
I’ve raised it with security and they just shrugged it off. Wankers.
Not my IT department (I am my IT department): One of the manufacturers for a brand of equipment we sell has a “Dealer Resource Center,” which consists solely of a web page where you can download the official product photography and user’s manuals, etc. for their products. This is to enable you to list their products on your e-commerce web site, or whatever.
Apparently whoever they subcontracted this to got their hands on a copy of Front End Dev For Dummies, and in order to use this you must create a mandatory account with minimum password complexity requirements, and solve a CAPTCHA every time you log in. They also require you to change your password every 60 days, and if you don’t they lock your account and you have to call their tech support.
Three major problems with this:
-
There is no verification check that you are actually an authorized dealer of this brand of product, so any fool who finds this on Google and comes up with an email address can just create an account and away you go downloading whatever you want. If you’ve been locked out of your account and don’t feel like picking up the telephone – no problem! Just create a new one.
-
There is no personalized content on this service. Everyone sees the same content, and it’s not like there’s a way to purchase anything on here or anyway, and your “account” stores no identifying information about you or your dealership that you feel like giving it other than your email address. You are free to fill it out with a fake name if you like; no one checks. You could create an account using obvioushacker@pwned.ru and no one would notice.
-
Every single scrap of content on this site is identical to the images and .pdf downloads already available on the manufacturer’s public web site. There is no privileged or secure content hosted in this “Resource Center” whatsoever. The pictures aren’t higher res or anything. Even the file names are the same. It’s obviously hooked up to the same backend as the manufacturer’s public web site. So if there were such a thing as a “bad actor” who wanted to obtain a complete library of glamor shots of durable goods, for some reason, there’s nothing stopping them from scraping the public web site and coming up with literally exactly the same thing.
It’s baffling.
-
Endless approval processes are a good one. They don’t even have to be nonsensical. Just unnecessarily manual, tedious, applied to the simplest changes, with long wait times and multiple steps. Add time zone differences and pile up many different ones, and life becomes hell.
Worked a job where I had to be a Linux admin for a variety of VMs. To access them, I needed an VPN that only worked inside the company LAN, and blocked internet access. it was a 30 day trial license on day 700somthing, so it had a max 5 simultaneous connection limit. Access was from my heavily locked down laptop. Windows 7 with 5 minutes locking Screensaver. The ssh software was an unknown brand, “ssh.exe” which only allowed one connection at a time in a 80 x 24 console window with no ability to copy and paste. This went to a bastion host, an HPUx box on an old csh shell with no write access to your home directory due to a 1.4mb disk quota per user. Only one login per user, ten login max, and the bastion host was the only way to connect to the Linux VMs. Default 5 minute logout for inactivity. No ssh keys allowed. No scripting allowed, was like typing over 9600 baud.
I quit that job. When asked why, I told them I was a Linux administrator and the job was not allowing me to administrate. I was told “a poor carpenter always blames his tools.” Yeah, fuck you.
They set zscaler so that if I don’t access an internal service for an unknown number of months, it means I don’t need it “for my daily work”, so they block it. If I want to access it again I need to open a ticket. There is no way to know what they closed and when they’ll close something.
In 1 months since this policy is active, I already have opened tickets to access test databases, k8s control plane, quality control dashboards, tableau server…
I really cannot comment how wrong it is.
deleted by creator
Mozilla products banned by IT because they had a vulnerability in a pervious version.
Rant
It was so bullshit. I had Mozilla Firefox 115.1 installed, and Mozilla put out an advisory, like they do all the fucking time. Fujitsu made it out to be some huge huge unfixed bug the very next day in an email after the advisory was posted and the email chain basically said “yk, we should just remove all Firefox. It’s vulnerable so it must be removed.”
I wouldn’t be mad if they decided that they didn’t want to have it be a managed app or that there was something (actually) wrong with it or literally anything else than the fact that they didn’t bother actually reading either fucking advisory and decided to nuke something I use daily.
Nah mate, they were completely right. What if you install an older version, and keep using it maliciously? Oh wait, now that you mention, I’m totally sure Edge had a similar problem at one point in the past. So refrain from using Edge, too. Or Explorer. And while we’re at it, it’s best to stay away from Chrome, as well. That had a similar vulnerability before, I’m sure. So let’s dish that, along with Opera, Safari, Maxthon and Netscape Navigator. Just use Lynx, it’s super lightweight!
EDIT: on another thought, you should just have stopped working for the above reason. Nothing is safe anymore.
Can’t use Lynx either.
https://www.cvedetails.com/cve/CVE-2010-2810/
All web pages must now be phoned in via a touch-tone system, and delivered on paper printouts via regular post.
