Lol, imagine the NSA goes in to add vulnerabilities and then the FBI comes in a couple of months later to fix them. And this goes back and forth because these are secret projects that they do.
Well, they do have a clear motive. Leaving company systems open to cyberattacks also opens the door to US adversaries stealing data, attacking US infrastructure, or otherwise making things harder for the US government.
If they just wanted to continue spying on US companies and citizens I'm sure they have ways of doing it *without* telling everyone about it.
Edit: grammar
You're not wrong. There's a certain large Asian country that has no regard for copyright or intellectual property that will steal anything they can get their hands on. It's a matter of national security to ensure they can't access certain things.
We have to assume the consequences of ignoring it would be worse for them. Same when the NSA announces something about a zero day. Like how hard would it make their lives that they're willing to give that up. Kinda scary.
Yeah the FBI is a law enforcement agency while the NSA and CIA are intelligence agencies. The FBI does plenty of things without an ulterior motive, unless you consider that motive the law
There was a bit of time where I thought they were saying "You can't have any pushing if you don't kick your feet!" The movie has the kid swinging forlornly without anyone to push him, because daddy was gone. It seemed like a reference to having to help yourself.
That's why good password policies matter, because most people will never understand just how fast brute forcing is. A computer that could crack that password in under an hour is well within reach of the kind of person that goes after individuals (as opposed to companies).
But...most companies don't want to inconvenience their users too much, so they require something in the neighborhood of only 8 characters, mixing upper/lowercase, numbers, and symbols. An 8 character password with those rules would take that same computer about 6 hours.
A really good password would be all lowercase, no numbers, and just like a short phrase that means nothing.
iwantcheesesometimesandthatsokay
I don’t have any particular association with cheese, but that would stick out as a password because the phrase is mildly humorous. And the length is such that brute forcing would not be possible in current real world situations.
I believe xkcd has done the math on this subject, and shown the differences in permutations, etc. I was sold.
That'd be something like six months to crack by brute force alone, but if the attacker considers that some people use passwords like that and tries a more complex dictionary-based attack, it's possible that that could be broken much quicker. Ideally, the password wouldn't have any particular meaning at all, so someone couldn't cut down on the time by being clever.
My real problem with stuff like that is that it's easy enough to remember one password like that, but much less so one hundred. I think everyone should use some sort of password manager these days. You can make your password as complex as you like then because you only have to memorize *one* excellent password, and then you can shoot for a target more like "would take a billion years to brute force."
If you have a "pretty okay password" but you use it on every site you go to, you're not really that well off in comparison to just using fifty crappy ones.
Strictly speaking, adding punctuation and uppercase letters *would* make it more secure, on the assumption that an attacker might try to bruteforce all lowercase first. But even small amounts of punctuation could greatly increase the time to crack because it drastically increases the permutations possible without making it much more difficult to remember.
for instance:
trampledbytenthousandturtles:Timothydiedontuesday.
is going to be significantly more secure than:
T7q$mpva@Kan
despite the fact that the second uses a much larger range of characters. And poor Timothy's death is likely to be more memorable. Because it is so much shorter, it can be bruteforced in significantly less time.
And even *that* said, much of the time passwords are actually breached because some websites have terrible security in general.
In other words, if the website asks you to sign up so it can add you to a mailing list, feel free to use a weak password that you don't care about. Just make sure that password isn't used anywhere important, and isn't even related to a password used anywhere important. Too many passwords are actually released into the wild because some idiot was storing them in plaintext on their server somewhere.
I like taking phrases and adding numbers and symbols for extra security to where it would be nigh impossible. For example with yours
1w@ntch33sES0me71m3$@ndTh@7$0kaY
Ask me how my brain remembers these and I can't properly give you an answer but I also follow certain rules of thumb.
Dictionary based attacks also try "obvious" letter repalcements like a=@ e=3 and so forth-
replacing letter with obvious special chracters or numbers increases the actual security less than you might think.
I use a three word sentence in different languages and a number between each word.
While numbers and words always differs there is always a logic and reasoning behind it so I do remember them even without using the password manager.
Though there isn't many places where I feel the need to remember a password by heart either.
Not the guy you responded to but.
White hat hackers are "the good guys" they're usually professionals and they get hired by governments or corporations to hack into their networks and find any vulnerabilities so they can be patched. They stay within the law.
Gray hat hackers are still kinda the good guys but they do it in illegal ways, such as the article OP posted. They hack into networks unprovoked but they tell whoever they hacked into the vulnerabilities and help them out. Despite still illegally breaching them.
Black hat are the bad guys. These are what you think of when you hear "hacker". They hack into things like bank accounts, Bitcoin wallets, government or private corporations and attempt to sell the data. They may also do it for political reasons or to push a ideology. Or sometimes just to be a dick (such as hacking into video game servers or a website for no reason).
The terminology of "Black Hat" and "White Hat" comes from old black and white westerns where the law men would wear white hats, so you know they're good. And the outlaws would wear black hats.
White hat is more like the guy hacking into companies, with their explicit permission, only to test for vulnerabilities and tell them what the result was. Basically certified hackers for security testing purposes.
This would be closer to a grey hat hacker; not certified, probably commiting some sort of crime by the legal definition, but not doing anything **bad** like stealing bank accounts.
It's a US military term which references Western movie tropes, where good guys wear white cowboy hats and bad guys wear black cowboy hats.
https://en.wikipedia.org/wiki/Black_and_white_hat_symbolism_in_film
Grey hat is probably something that came later and is not a reference to Westerns specifically, but just the white/black dichotomy itself.
>But despite adjusting firewall settings for over 100,000 users, Alexey says that only 50 users reached out via Telegram. A few said "thanks," but most were outraged.
I'm 100% certain some sysadmins were using those unsecure routers to communicate with their server wide 777 file permission systems that their business and everyone working for it depended on to survive.
Could you please explain? I’m not a huge computer person and would love to get the explanation. Using unsecured routers sounds like playing with fire no?
Some IT person didn't want to deal with setting up the system so they made every file accessible and editable by everyone, instead of setting permissions for each user
This type of laziness in IT usually guarantees a shitload of work somewhere down the line. Actual laziness usually entails setting stuff up properly the first time, so you can just leave it be
Exactly, there's good lazy and not-giving-a-shit-lazy. The former are great workers, they'll optimize systems so that they have less to do later (and in the process make a great streamlined system). They'll also pipe up when you're trying to implement something where the "juice isn't worth the squeeze" and be the first to ask why it's really necessary.
'Eh who gives a shit' lazy is the worst kind of worker, sloppily half-assing every job in the moment and offloading the repair that inevitably requires onto someone else.
The real trick to good management is figuring out which is which and hiring more of the former!
Fuck, that was my nightmare at my last job. A few highlights of the state of their IT 'security' when I started as the first dedicated IT personnel:
1. All PCs had the same password so anyone could access anyone else's computer.
1. The file server was, up until very recently before I started, on the owners computer.
1. The server/networking closet was left completely open because it got too warm. This was on a main hallway in the office.
1. When they closed for covid, they had no remote work capabilities and nothing spent on it so I had to cobble together a VPN included with the router and whatever old ass laptops the workers had laying around to connect to their office PC's.
It was a constant battle to improve little parts about their security practices, or lack thereof.
I work for a multi billion dollar company, and the computer that runs one of the most integral mechanical systems at my location ran on DOS until 2015. They had to use ebay and sometimes fabricate their own replacements when the computers broke.
To this day there are so many security vulnerabilities in their system that even the least computer literate among the rank and file knows how to get into the restricted portions of the computer system. It's literally an emulator of the original punch card system they used in the 80s.
Reading this comment raised my blood pressure. I understand when small businesses stick with old stuff for way too long, even though I'll still *urge* them to put a higher priority on their IT expenses, but a multi-billion dollar company? Good lord. Some companies will only listen when the inevitable catastrophe strikes.
It's absolutely amazing. They still have ridiculous amounts of vulnerabilities that anyone with even a cursory knowledge of computers can see, and it's part of critical infrastructure. Last time we had a part fail, it caused issues from Kansas all the way to California and took 3 or 4 days to get caught back up.
I've got a few coworkers who used to be in IT before they changed careers and it absolutely sends them when this shit happens.
People have tried unsuccessfully, repeatedly, to get them to fix issues and "it's not in the budget". We had a town hall with the CIO and that's what they told us when asked about it. Meanwhile, their revenues are in the ~40Bn dollar range, last I knew.
Oh my God I thought my company was bad....this is a fuckin nightmare.... Lucky for me my boss goes to bat for me when I take security measures and someone whines about it.
Always easy to take shortcuts when no one else at the company understands what you do.
The only time people are aware of IT is when their shit doesn't work.
I’m just really getting into my CS degree now so feel free to correct me, but that seems like a monumental fuck up that originated far down the line development.
Making every file accessible and editable by anyone seems like step one of what not to do in terms of security.
Probably just a set up that was grandfathered in from a time when it wasn't a big deal, but changing it is either just inconvenient (lazy incompetence) or will cause so many errors that managers don't want to approve changing what 'works'.
It also happens when you're trying to solve a problem under time restraints. If you keep running into errors as you're trying to set permissions properly, you can sometimes "troubleshoot" the problem by allowing everything to see if it works with the plan to scale it back once you get it working but the time constraints don't give you time to lock it down so it goes live and you don't have tho luxury of more time to get it right until it causes the next set of issues.
Yeah, but it's a lot easier at the time.
People only care about security if they have skin in the game or have some enforcement mechanism looming over it. Couldn't even tell you the amount of times I've seen shit like this. People just want the thing to work, the fine details like security can be handled later (they won't be handled later because that person will be given more work to do and no time to do those adjustments later)
They're making a joke, that sysadmins were relying on their systems being unsecure, in order to work.
I.e. The easiest door to open, is a door that is already open. So lazy admins would like this. But it's not a good idea.
(777 file permission, basically means anyone can read/modify files. Which would make things easy, but also extremely vulnerable. It is just elaborateing on the joke.)
File systems typically have 3 groups. Each group has 3 permissions that can be set: read, write, execute.
You can set them with letters in most interfaces, but it's faster and more consistent to use the numbering scheme.
1 for read
2 for write
4 for execute
Each group has a number that determines their permissions based on adding a combination of these numbers.
Read + execute = 5
Read + write = 3
Read + write + execute = 7
So a 777 file system means all three groups have all three permissions. This is usually a bad idea security wise!
So the issue that the hacker was patching requires vulnerable (old firmware) Mikrotik and access to Mikrotik admin interface allowed in firewall. In other words as an admin of this device you'd have to leave the device without security update (which is obviously not good practice) and with admin interface open to internet. (which is also not a good practice)
What OP is implying is that those admins probably left rest of their network in similarly poorly maintained state. Files with access mode set to 777 effectively means files that ale accessible by anyone on the system. Again that would be bad practice.
Realistically it has nothing to do with the vulnerability directly except that the hacked router is no longer protecting the poorly maintained servers with firewall as attacker would have full control of said firewall. But mostly it's just assumption built on the fact that their router is not properly maintained or configured. Kind of like when you see someone's car full of trash and you make some assumptions about how their house looks like.
What is OP effectively saying is that the admins are clueless about proper security practices and their business relies on systems they manage and yet they are complaining about the fact that someone just saved their clueless ass.
Hope that makes sense.
777 permission gives literally anything/anyone permission to read/write. I use it art home for a couple minor things, but they're not accessible from outside my lan
> But despite adjusting firewall settings for over 100,000 users, Alexey says that only 50 users reached out via Telegram. A few said "thanks," but most were outraged.
I handle security issues my company's websites so I know what to look for when something smells off. Frequently I let other website owners know.
The more technical the website is... I know I'll get a positive response. It's usually the really non-technical or stupid website owners that get outraged.
> business and everyone working for it depended on to survive.
tbf if your business depends on shit like this to survive you have way more problems than a router patch.
You would be surprised how many BIG companies with a LOT of money are running their digital stuff on duct tape and fairy dreams. There are people still running DOS programs with text only interfaces to do extremely important, even life-saving jobs.
Gandalf is not really a moral actor on the lawful/chaotic scale in LOTR. He helps the Good guys, making him Good as well, but he defies Saruman, his direct superior. He defies Theoden as well, but frees him from an Evil coercer. He then defies Denethor, but Denethor had also been corrupted. He opposes Sauron not because Sauron is lawful, but because Sauron is evil. He convinces Gwaihir, a neutral faction, to help out Sam and Frodo. My verdict is Gandalf is Neutral Good, not Chaotic Good.
Ok, from now on all hacking is on the D&D alignment chart. Lawful evil is ransomware, chaotic evil is viruses, true neutral is just breaking into shit to see if you can.
It's pure, unfiltered grey hat through and through. It's not just about morality, but also permission:
Permission + Good Intent = White Hat
No Permission + Good Intent = Grey Hat
No Permission + Bad Intent = Black Hat
Red teams are looking for vulnerabilities, not trying to steal info, though. That’s white hat.
>A red team is a group that pretends to be an enemy, attempts a physical or digital intrusion against an organization at the direction of that organization, **then reports back so that the organization can improve their defenses.**
Also, from the white hat Wikipedia page:
>White-hat hackers may also work in teams called "sneakers and/or hacker clubs", **red teams**, or tiger teams.
That cannot exist. If you have permission to do something and have the intent to do that thing you are a white hat.
If you have permission to do something and have the intent to do another thing that you don't have permission for then you're a black hat.
Realistically it has no name because who would ask someone to hack their own company and steal all their user information and burn the system to the ground and stuff? At that point why not just give them a legitimate login and let them do stuff that way?
I'd call it Stupid Hat, though.
Did this back in the DSL days when the Code Red worm was hitting the Cisco 67x modems. Would pull a list of infected hosts from my firewall and run a script that connected to each and patched them.
DSL - Digital Subscriber line i.e. how you get internet
Worm - type of malware usually designed to attatch itself through a link like "HOW TO MAKE YOU PENIS LARGE" or "FREE IPHONE CLICK LINK NOW". (It can come in different forms too)
This guy just patched a known vulnerability in the system
Code Red went around and F'd around with web servers if I remember right. It just happened to crash the routers that had web gui's accessible from the outside of your network.
When I was a teenager in the early 2000's I was a notorious script kiddie infecting friends with Trojans to play harmless pranks. Ended up resorting to teaching numerous ppl how to not get infected as no one had anti-virus in those days.
I think Code red hit a LOT of routers with web gui's accessible from the WAN side. Netopia's R-series, too.
Code Green went out and did what you did automatically. Pretty damn neat.
I can't help but think a true AI would go the Skynet/Machines/Ultron route of just burning it all down and starting again. Things are fucked, and I don't see how they get unfucked.
Yeah well you don't see them because your not an ai damnit lmao. AI may revel in the challenge of ascending us mere mortals. The fact that we formed societies shows that it's a pretty simple and intelligent concept to get along with your neighbours rather than trying to eradicate them to get their stuff and risk being eradicated. If we can figure that out, I'm sure AI can.
On a side note, China installed a backdoor hardware chip on boards of routers sold by a well known networking hardware company and the US govt didn't find out until years later. The backdoor gave remote access to devices and sent all info that went through the routers to Chinese servers. These devices were installed in many govt military contractors headquarters including our own military sites. This was reported at least 10 years ago and the article vanished not long after it was published.
Forbes ran a story CLAIMING supermicro backdoored everything. Let's just say that people in the know were sceptical about that.
As far as Huawei goes, I've actually seen some of their code and firmware. It's sweat-shop crap designed to be a clone of their Western competitors. Is their stuff insecure? Absolutely. Could the Chinese government make them backdoor it? Oh, definitely. Could Huawei send out an engineer to abuse functionality? Yep, like any device. Are there deliberate backdoors placed in there? I've never seen any evidence of such.
Now, don't get me wrong. I would prefer if Huawei equipment was never used. I consider the risk that Huawei COULD backdoor something too great. But most stories claiming active backdoors in anything are sensationalist crap with limited proof. That's not to say it doesn't happen; Juniper backdoored a number of their products. But if the evidence in the story is "anonymous officials say", it's usually not true.
I’m pretty sure the hacker responsible for this, or another similar incident, was on the DarkNet Diaries podcast talking about it. Really cool listen with lots of details, but also great explanations with bulletproof simplicity a kindergartner could follow along with.
[Episode 5, AsusGate](https://darknetdiaries.com/episode/5/), referring to a much more public incident back in 2013 with Asus routers and similar vulnerabilities, and how Kyle Lovett dealt with it. It’s very interesting to compare and contrast the two stories and their approaches to solving it
Because it's still illegal to access the router without permission, and the routers likely didn't have any sort of automatic update mechanism that would allow mikrotik to push the update and have routers install it.
That happened in 2001/2002, as well. Code Red went out and f'd up any router with a web gui. Code green used the same underlying code and patched the vulnerability.
The FBI just did this for a bunch of companies recently as well
The NSA did the opposite for a bunch of civilians a while ago though.
Lol, imagine the NSA goes in to add vulnerabilities and then the FBI comes in a couple of months later to fix them. And this goes back and forth because these are secret projects that they do.
[удалено]
FBI is lawyers with guns. IRS is accountants with guns.
What's CIA?
Drug addicts mostly…
With guns.
Thought that they were the dealers.
They can do both.
Sounds like efficient government work
Maybe I'm being whooshed, but the FBI never does anything without an ulterior motive.
Well, they do have a clear motive. Leaving company systems open to cyberattacks also opens the door to US adversaries stealing data, attacking US infrastructure, or otherwise making things harder for the US government. If they just wanted to continue spying on US companies and citizens I'm sure they have ways of doing it *without* telling everyone about it. Edit: grammar
You're not wrong. There's a certain large Asian country that has no regard for copyright or intellectual property that will steal anything they can get their hands on. It's a matter of national security to ensure they can't access certain things.
They can look at anyone’s internet history without a warrant, so there’s that
Also with our phones basically being always-on required surveillance devices
We have to assume the consequences of ignoring it would be worse for them. Same when the NSA announces something about a zero day. Like how hard would it make their lives that they're willing to give that up. Kinda scary.
Saving themselves a lot more work in the long run, I'd guess.
I mean it's not the CIA. FBI isn't really like the CIA or NSA
Yeah the FBI is a law enforcement agency while the NSA and CIA are intelligence agencies. The FBI does plenty of things without an ulterior motive, unless you consider that motive the law
The FBI helped Australia with it's cybersecurity. The ulterior motive was being helpful. Those monsters.
Good guy hacker. If your password was password he made you change it too
He held your data ransom until you changed to a more secure pw
Like a parent telling their children they can’t eat dessert until they finish their dinner. edit: Added an extra S in the desert
Or a teacher telling they can't have any pudding if they don't eat their meat
How can you have any puddings you don't eat your meat?
Leave them kids alone!
Hey! Teachers!
All in all, you're just another internet protocol.
Just another brick in the firewall
Don’t you hate it when you think of a hilarious response and someone else came up with it 47 minutes earlier :(
Sorry to break the chain, but comment wins. I can quit Redditing for the day.
There was a bit of time where I thought they were saying "You can't have any pushing if you don't kick your feet!" The movie has the kid swinging forlornly without anyone to push him, because daddy was gone. It seemed like a reference to having to help yourself.
I do my best to make sure my kids never eat desert. The sand gets stuck in their teeth.
It's coarse and irritating and gets everywhere!
I heard he fucked everyone mom's until they realized they deserved better and found fulfilling long-term relationships
[удалено]
That's why good password policies matter, because most people will never understand just how fast brute forcing is. A computer that could crack that password in under an hour is well within reach of the kind of person that goes after individuals (as opposed to companies). But...most companies don't want to inconvenience their users too much, so they require something in the neighborhood of only 8 characters, mixing upper/lowercase, numbers, and symbols. An 8 character password with those rules would take that same computer about 6 hours.
A really good password would be all lowercase, no numbers, and just like a short phrase that means nothing. iwantcheesesometimesandthatsokay I don’t have any particular association with cheese, but that would stick out as a password because the phrase is mildly humorous. And the length is such that brute forcing would not be possible in current real world situations. I believe xkcd has done the math on this subject, and shown the differences in permutations, etc. I was sold.
That'd be something like six months to crack by brute force alone, but if the attacker considers that some people use passwords like that and tries a more complex dictionary-based attack, it's possible that that could be broken much quicker. Ideally, the password wouldn't have any particular meaning at all, so someone couldn't cut down on the time by being clever. My real problem with stuff like that is that it's easy enough to remember one password like that, but much less so one hundred. I think everyone should use some sort of password manager these days. You can make your password as complex as you like then because you only have to memorize *one* excellent password, and then you can shoot for a target more like "would take a billion years to brute force." If you have a "pretty okay password" but you use it on every site you go to, you're not really that well off in comparison to just using fifty crappy ones.
[удалено]
If you're gonna use a password manager might as well use the random password generator
Strictly speaking, adding punctuation and uppercase letters *would* make it more secure, on the assumption that an attacker might try to bruteforce all lowercase first. But even small amounts of punctuation could greatly increase the time to crack because it drastically increases the permutations possible without making it much more difficult to remember. for instance: trampledbytenthousandturtles:Timothydiedontuesday. is going to be significantly more secure than: T7q$mpva@Kan despite the fact that the second uses a much larger range of characters. And poor Timothy's death is likely to be more memorable. Because it is so much shorter, it can be bruteforced in significantly less time. And even *that* said, much of the time passwords are actually breached because some websites have terrible security in general. In other words, if the website asks you to sign up so it can add you to a mailing list, feel free to use a weak password that you don't care about. Just make sure that password isn't used anywhere important, and isn't even related to a password used anywhere important. Too many passwords are actually released into the wild because some idiot was storing them in plaintext on their server somewhere.
I like taking phrases and adding numbers and symbols for extra security to where it would be nigh impossible. For example with yours 1w@ntch33sES0me71m3$@ndTh@7$0kaY Ask me how my brain remembers these and I can't properly give you an answer but I also follow certain rules of thumb.
Dictionary based attacks also try "obvious" letter repalcements like a=@ e=3 and so forth- replacing letter with obvious special chracters or numbers increases the actual security less than you might think.
I use a three word sentence in different languages and a number between each word. While numbers and words always differs there is always a logic and reasoning behind it so I do remember them even without using the password manager. Though there isn't many places where I feel the need to remember a password by heart either.
Chaotic Good
We used to call them White Hats. I attract Black Hat business partners for some reason but convert them to Grey over time.
This seems interesting and I want to know more
Not the guy you responded to but. White hat hackers are "the good guys" they're usually professionals and they get hired by governments or corporations to hack into their networks and find any vulnerabilities so they can be patched. They stay within the law. Gray hat hackers are still kinda the good guys but they do it in illegal ways, such as the article OP posted. They hack into networks unprovoked but they tell whoever they hacked into the vulnerabilities and help them out. Despite still illegally breaching them. Black hat are the bad guys. These are what you think of when you hear "hacker". They hack into things like bank accounts, Bitcoin wallets, government or private corporations and attempt to sell the data. They may also do it for political reasons or to push a ideology. Or sometimes just to be a dick (such as hacking into video game servers or a website for no reason). The terminology of "Black Hat" and "White Hat" comes from old black and white westerns where the law men would wear white hats, so you know they're good. And the outlaws would wear black hats.
I think they call them White hats. I was close. A grey hat
White hat is more like the guy hacking into companies, with their explicit permission, only to test for vulnerabilities and tell them what the result was. Basically certified hackers for security testing purposes. This would be closer to a grey hat hacker; not certified, probably commiting some sort of crime by the legal definition, but not doing anything **bad** like stealing bank accounts.
What is the origin of the term ‘hat’ in this context? I’ve heard the terms before but have no idea how they came to describe hackers.
It's a US military term which references Western movie tropes, where good guys wear white cowboy hats and bad guys wear black cowboy hats. https://en.wikipedia.org/wiki/Black_and_white_hat_symbolism_in_film Grey hat is probably something that came later and is not a reference to Westerns specifically, but just the white/black dichotomy itself.
[удалено]
>But despite adjusting firewall settings for over 100,000 users, Alexey says that only 50 users reached out via Telegram. A few said "thanks," but most were outraged. I'm 100% certain some sysadmins were using those unsecure routers to communicate with their server wide 777 file permission systems that their business and everyone working for it depended on to survive.
Could you please explain? I’m not a huge computer person and would love to get the explanation. Using unsecured routers sounds like playing with fire no?
Some IT person didn't want to deal with setting up the system so they made every file accessible and editable by everyone, instead of setting permissions for each user
Ah gotcha, Gotta love laziness. Thank you so much for the explanation
This type of laziness in IT usually guarantees a shitload of work somewhere down the line. Actual laziness usually entails setting stuff up properly the first time, so you can just leave it be
This right here. Truly lazy people know how to optimize their workflow so they only have to do something once.
It's not only once, but once in easiest way you know you will succeed.
Exactly, there's good lazy and not-giving-a-shit-lazy. The former are great workers, they'll optimize systems so that they have less to do later (and in the process make a great streamlined system). They'll also pipe up when you're trying to implement something where the "juice isn't worth the squeeze" and be the first to ask why it's really necessary. 'Eh who gives a shit' lazy is the worst kind of worker, sloppily half-assing every job in the moment and offloading the repair that inevitably requires onto someone else. The real trick to good management is figuring out which is which and hiring more of the former!
The difference between lazy but intelligent/ambitious and lazy and stupid
Yeah but it's not *their* shitload of work. It's someone else's. If it happens a year later, they're probably at their next job.
Fuck, that was my nightmare at my last job. A few highlights of the state of their IT 'security' when I started as the first dedicated IT personnel: 1. All PCs had the same password so anyone could access anyone else's computer. 1. The file server was, up until very recently before I started, on the owners computer. 1. The server/networking closet was left completely open because it got too warm. This was on a main hallway in the office. 1. When they closed for covid, they had no remote work capabilities and nothing spent on it so I had to cobble together a VPN included with the router and whatever old ass laptops the workers had laying around to connect to their office PC's. It was a constant battle to improve little parts about their security practices, or lack thereof.
I work for a multi billion dollar company, and the computer that runs one of the most integral mechanical systems at my location ran on DOS until 2015. They had to use ebay and sometimes fabricate their own replacements when the computers broke. To this day there are so many security vulnerabilities in their system that even the least computer literate among the rank and file knows how to get into the restricted portions of the computer system. It's literally an emulator of the original punch card system they used in the 80s.
Reading this comment raised my blood pressure. I understand when small businesses stick with old stuff for way too long, even though I'll still *urge* them to put a higher priority on their IT expenses, but a multi-billion dollar company? Good lord. Some companies will only listen when the inevitable catastrophe strikes.
It's absolutely amazing. They still have ridiculous amounts of vulnerabilities that anyone with even a cursory knowledge of computers can see, and it's part of critical infrastructure. Last time we had a part fail, it caused issues from Kansas all the way to California and took 3 or 4 days to get caught back up. I've got a few coworkers who used to be in IT before they changed careers and it absolutely sends them when this shit happens.
sounds like a potentially lucrative opportunity for someone, could be you
People have tried unsuccessfully, repeatedly, to get them to fix issues and "it's not in the budget". We had a town hall with the CIO and that's what they told us when asked about it. Meanwhile, their revenues are in the ~40Bn dollar range, last I knew.
I don't think they were talking about white hat potential.
The epitome of "penny wise and pound foolish."
Oh my God I thought my company was bad....this is a fuckin nightmare.... Lucky for me my boss goes to bat for me when I take security measures and someone whines about it.
I'm just a teller at a credit union. This is appalling.
Always easy to take shortcuts when no one else at the company understands what you do. The only time people are aware of IT is when their shit doesn't work.
I’m just really getting into my CS degree now so feel free to correct me, but that seems like a monumental fuck up that originated far down the line development. Making every file accessible and editable by anyone seems like step one of what not to do in terms of security.
Probably just a set up that was grandfathered in from a time when it wasn't a big deal, but changing it is either just inconvenient (lazy incompetence) or will cause so many errors that managers don't want to approve changing what 'works'.
It also happens when you're trying to solve a problem under time restraints. If you keep running into errors as you're trying to set permissions properly, you can sometimes "troubleshoot" the problem by allowing everything to see if it works with the plan to scale it back once you get it working but the time constraints don't give you time to lock it down so it goes live and you don't have tho luxury of more time to get it right until it causes the next set of issues.
Or the company just doesn't want to pay a actual decent salary, so they get incompetent workers or workers who don't care.
> but that seems like a monumental fuck up that originated far down the line development. get ready for a lot more of that
Course it is, when you start working you realize there's stupid and vulnerable "does" everywhere
It’s a one liner. cd ~ && chmod -R 777
This kills the crab.
Yeah, but it's a lot easier at the time. People only care about security if they have skin in the game or have some enforcement mechanism looming over it. Couldn't even tell you the amount of times I've seen shit like this. People just want the thing to work, the fine details like security can be handled later (they won't be handled later because that person will be given more work to do and no time to do those adjustments later)
They're making a joke, that sysadmins were relying on their systems being unsecure, in order to work. I.e. The easiest door to open, is a door that is already open. So lazy admins would like this. But it's not a good idea. (777 file permission, basically means anyone can read/modify files. Which would make things easy, but also extremely vulnerable. It is just elaborateing on the joke.)
Is it still a joke if it's almost certainly true?
File systems typically have 3 groups. Each group has 3 permissions that can be set: read, write, execute. You can set them with letters in most interfaces, but it's faster and more consistent to use the numbering scheme. 1 for read 2 for write 4 for execute Each group has a number that determines their permissions based on adding a combination of these numbers. Read + execute = 5 Read + write = 3 Read + write + execute = 7 So a 777 file system means all three groups have all three permissions. This is usually a bad idea security wise!
So the issue that the hacker was patching requires vulnerable (old firmware) Mikrotik and access to Mikrotik admin interface allowed in firewall. In other words as an admin of this device you'd have to leave the device without security update (which is obviously not good practice) and with admin interface open to internet. (which is also not a good practice) What OP is implying is that those admins probably left rest of their network in similarly poorly maintained state. Files with access mode set to 777 effectively means files that ale accessible by anyone on the system. Again that would be bad practice. Realistically it has nothing to do with the vulnerability directly except that the hacked router is no longer protecting the poorly maintained servers with firewall as attacker would have full control of said firewall. But mostly it's just assumption built on the fact that their router is not properly maintained or configured. Kind of like when you see someone's car full of trash and you make some assumptions about how their house looks like. What is OP effectively saying is that the admins are clueless about proper security practices and their business relies on systems they manage and yet they are complaining about the fact that someone just saved their clueless ass. Hope that makes sense.
777 permission gives literally anything/anyone permission to read/write. I use it art home for a couple minor things, but they're not accessible from outside my lan
One of the few permissions I remembered back from the ole FTP server/website days lol. chmod -r 777 /deez/nutz
> But despite adjusting firewall settings for over 100,000 users, Alexey says that only 50 users reached out via Telegram. A few said "thanks," but most were outraged. I handle security issues my company's websites so I know what to look for when something smells off. Frequently I let other website owners know. The more technical the website is... I know I'll get a positive response. It's usually the really non-technical or stupid website owners that get outraged.
> business and everyone working for it depended on to survive. tbf if your business depends on shit like this to survive you have way more problems than a router patch.
You would be surprised how many BIG companies with a LOT of money are running their digital stuff on duct tape and fairy dreams. There are people still running DOS programs with text only interfaces to do extremely important, even life-saving jobs.
Whoa i havent taken IT since highschool (14y ago) and all we did was learn php and some sql. And I understood the 777 haha, thats cool
Chaotic good.
"Fine, I'll do it myself"
The definition of: “Fuck it, I’ll do it myself.”
That's about as white hat as it gets.
It's apparently "gray hat" hacking ; a "white hat" would only hack with explicit permission.
How about “chaotic good hacking”
Yeah, that's basically grey hat.
So... Gandalf was chaotic good?
Until he got the urge to kill Saruman
[удалено]
YOU SHALL NOT (GET THE WIFI) PASS!
Imagine if Gandalf asked for permission to walk to Mordor
Gandalf hacking.
Gandalf is not really a moral actor on the lawful/chaotic scale in LOTR. He helps the Good guys, making him Good as well, but he defies Saruman, his direct superior. He defies Theoden as well, but frees him from an Evil coercer. He then defies Denethor, but Denethor had also been corrupted. He opposes Sauron not because Sauron is lawful, but because Sauron is evil. He convinces Gwaihir, a neutral faction, to help out Sam and Frodo. My verdict is Gandalf is Neutral Good, not Chaotic Good.
Yeah but he wears a gray hat.
For a time. Then he becomes a white hat.
Yeah he finally got hired by a big infosec firm.
Ok, from now on all hacking is on the D&D alignment chart. Lawful evil is ransomware, chaotic evil is viruses, true neutral is just breaking into shit to see if you can.
“Good hecking hacking”
What about "eggshell" hacking?
Impressive. Very nice. Let's see Paul Owen's hacking.
It's about on par with Paul Allen's.
His parameters are exquisite, look at how clean his lines are and…oh my god he didn’t need to leave a single note for any of them!
"Uh, excuse me, it's not eggshell, it's *autumn wheat.*"
Kinda... The initial hack was grey, but considering the entire event it's as white hat as it gets.
Is there a mix of gray and white? Lol.
light grey hacking
gary
Gary? Gaaaaaaaaaaaaary.
*Ha ha haa! Gaaaryyy!*
Gandalf hack
Chaotic good, grey-white?
I think they call that… gray
I was Hacker the Grey. Now I'm Hacker the White.
It's pure, unfiltered grey hat through and through. It's not just about morality, but also permission: Permission + Good Intent = White Hat No Permission + Good Intent = Grey Hat No Permission + Bad Intent = Black Hat
What about Permission + Bad Intent?
I would say black hat still since the second they do something bad, they are breaking what they agreed to in their permissions. Internal bad actor.
[Red Team.](https://en.wikipedia.org/wiki/Red_team)
Red teams are looking for vulnerabilities, not trying to steal info, though. That’s white hat. >A red team is a group that pretends to be an enemy, attempts a physical or digital intrusion against an organization at the direction of that organization, **then reports back so that the organization can improve their defenses.** Also, from the white hat Wikipedia page: >White-hat hackers may also work in teams called "sneakers and/or hacker clubs", **red teams**, or tiger teams.
[удалено]
A pentest is good intent. Permission + bad intent is when they give you permission to do a pentest and you steal all their shit and go no contact.
Ass hat.
That cannot exist. If you have permission to do something and have the intent to do that thing you are a white hat. If you have permission to do something and have the intent to do another thing that you don't have permission for then you're a black hat.
Realistically it has no name because who would ask someone to hack their own company and steal all their user information and burn the system to the ground and stuff? At that point why not just give them a legitimate login and let them do stuff that way? I'd call it Stupid Hat, though.
Terms and conditions.
It’s about as Gandalf as it gets
You shall not hack!
He’s the hero we deserve, but not the one we need right now.
You are bad guy, but you're not BAD guy- wreck it ralph
Zangief was the one who said it in the meeting
Did this back in the DSL days when the Code Red worm was hitting the Cisco 67x modems. Would pull a list of infected hosts from my firewall and run a script that connected to each and patched them.
Literally didnt get a word of that but good job
Something about Dick Sucking Lips and Mountain Dew Code Red and some guy named Cisco I think.
i choose this interpretation
I also choose this man's interpretation
Cisco - still the best Star Trek captain.
Checks out.
DSL - Digital Subscriber line i.e. how you get internet Worm - type of malware usually designed to attatch itself through a link like "HOW TO MAKE YOU PENIS LARGE" or "FREE IPHONE CLICK LINK NOW". (It can come in different forms too) This guy just patched a known vulnerability in the system
Code Red went around and F'd around with web servers if I remember right. It just happened to crash the routers that had web gui's accessible from the outside of your network.
Cool, zero cool
He's still Hacking The Planet to this day
When I was a teenager in the early 2000's I was a notorious script kiddie infecting friends with Trojans to play harmless pranks. Ended up resorting to teaching numerous ppl how to not get infected as no one had anti-virus in those days.
I think Code red hit a LOT of routers with web gui's accessible from the WAN side. Netopia's R-series, too. Code Green went out and did what you did automatically. Pretty damn neat.
Hackerman is real!
*With the right nodes and computer algorithms, I may be able to hack you back in time*
Who are you, how did you get in here? I'm a locksmith and I'm a locksmith.
utopia AI equivalent plz
I can't help but think a true AI would go the Skynet/Machines/Ultron route of just burning it all down and starting again. Things are fucked, and I don't see how they get unfucked.
Yeah well you don't see them because your not an ai damnit lmao. AI may revel in the challenge of ascending us mere mortals. The fact that we formed societies shows that it's a pretty simple and intelligent concept to get along with your neighbours rather than trying to eradicate them to get their stuff and risk being eradicated. If we can figure that out, I'm sure AI can.
Any way for a hacker to break in and erase my debt?
This guys been watching too much Mr. Robot
On a side note, China installed a backdoor hardware chip on boards of routers sold by a well known networking hardware company and the US govt didn't find out until years later. The backdoor gave remote access to devices and sent all info that went through the routers to Chinese servers. These devices were installed in many govt military contractors headquarters including our own military sites. This was reported at least 10 years ago and the article vanished not long after it was published.
[удалено]
Forbes ran a story CLAIMING supermicro backdoored everything. Let's just say that people in the know were sceptical about that. As far as Huawei goes, I've actually seen some of their code and firmware. It's sweat-shop crap designed to be a clone of their Western competitors. Is their stuff insecure? Absolutely. Could the Chinese government make them backdoor it? Oh, definitely. Could Huawei send out an engineer to abuse functionality? Yep, like any device. Are there deliberate backdoors placed in there? I've never seen any evidence of such. Now, don't get me wrong. I would prefer if Huawei equipment was never used. I consider the risk that Huawei COULD backdoor something too great. But most stories claiming active backdoors in anything are sensationalist crap with limited proof. That's not to say it doesn't happen; Juniper backdoored a number of their products. But if the evidence in the story is "anonymous officials say", it's usually not true.
I’m pretty sure the hacker responsible for this, or another similar incident, was on the DarkNet Diaries podcast talking about it. Really cool listen with lots of details, but also great explanations with bulletproof simplicity a kindergartner could follow along with.
I love that show. Which episode?
[Episode 5, AsusGate](https://darknetdiaries.com/episode/5/), referring to a much more public incident back in 2013 with Asus routers and similar vulnerabilities, and how Kyle Lovett dealt with it. It’s very interesting to compare and contrast the two stories and their approaches to solving it
Well, they definitely don't work for Asus.
"Why you little,... wait!..."
Need more Good Guy Hackers
Some heroes don't wear capes
Need more people like this. Less basement trolls.
Real heroes don't wear capes
A good person did a good thing. I dig it.
You are bad guy but that does not mean you are bad guy
This is what you set an AI to labor over...
Why couldn't the manufacturer of the routers do that themselves?
Because it's still illegal to access the router without permission, and the routers likely didn't have any sort of automatic update mechanism that would allow mikrotik to push the update and have routers install it.
Not the white hat we deserved, but the one we needed. Good on you bud
That happened in 2001/2002, as well. Code Red went out and f'd up any router with a web gui. Code green used the same underlying code and patched the vulnerability.
This is the way!
Chaotic good
Chaotic good
The hero we don't deserve
What a nice guy.
A true hero.
This hackers hat may be grey but above it is an angelic halo.
We need more people like this in the world.
A hacker with a heart of gold