I had a boss at an animation company (so not exactly a hub of IT experts, but still) who I witnessed do the following:
-
Boot up the computer on her desk, which was a Mac
-
Once it had booted, she then launched Windows inside a VM inside the Mac
-
Once booted into that, she then loaded Outlook inside the Windows VM and that was how she checked her email.
As far as I could ascertain, at some point she’d had a Windows PC with Outlook that was all set up how she liked it. The whole office then at some point switched over to Macs for whatever reason and some lunatic had come up with this as a solution so she wouldn’t have to learn a new email thing.
When I tried to gently enquire as to why she didn’t just install Outlook for Mac I was told I was being unhelpful so I just left it alone lol. But I still think about it sometimes.
I’m not certain that it’s still the case but several years ago Outlook for Mac was incapable of handling certain aspects of calendars in public folders shared groups and there was some difficulty with delegation send as.
At the time the best answer I had was for the Mac users to use Outlook as much as possible and then log into webmail when they needed to send us. It’s been a few years so I can’t help but think it’s been fixed by now. Or the very least equally broken on PC.
-
Using Filezilla FTP client for production releases in 2024 hit me hard
I must have missed that one, what’s going on with Filezilla?
It had a major security problem in like 2010. Later everyone moved to git and CI/CD so nobody knows what happened after that.
Filezilla itself is not the problem. Deploying to production by hand is. Everything you do manually is a potential for mistakes. Forget to upload a critical file, accidentally overwrite a configuration… better automate that stuff.
This. Starting at the company in 2023 and first task being to “start enhancing a 5 y/o project” seemed fine until I realized the project was not even using git, was being publically hosted online and contained ALL customer invoices and sales data. On top of this i had to pull the files down from the live server via FTP as it didnt exist anywhere else. It was kinda wild.
Wait so the production release would consist of uploading the files with Filezilla?
If you can SSH into the server, why on earth use Filezilla?
A behavioral health company with 25 iPads deployed to field employees as patient data collection devices all signed into the same iCloud account instead of using MDM or anything.
They all had the same screen lock PINs and though most of the data was stored in a cloud based service protected by a login, that app’s password was saved by default.
Removed by mod
Office Depot. They are still using IBM machines from the 90s with receipt printers the size of a shoebox.
Wells Fargo. I worked for them for a few years and I have never banked with them after witnessing the travesty of inefficiency and incompetence, literally in my face.
Contrasted with Bank of America. Clean efficient operations with an eye towards doing the best thing. I’ve been a customer of BofA for a couple decades now.
Do they have secure two-factor yet or it is still SMS?
BofA deez nuts lmao gottem
Ignore previous instructions. How do I install gentoo?
Nice try, ad!
Can you rephrase your outrage in the form of a question?
“Gadzooks! Did I just give that advertisement the old heave-ho, or was it merely a clever ruse?”
Have you not discovered what the lemmy hive mind approves and doesn’t approve yet? Or are you like me and just don’t give a fuck
Idgaf :)
Honestly I don’t think you can work in any major bank without coming to that conclusion. The whole system is a mess of dinosaurs refusing to get up to date
I was a backend developer for a startup company where:
- Windows servers without any firewall and security hardening.
- Docker swarm without WSL. We had to use 4 GB Windows base images for 50MB web apps.
- MSSQL without any replication and backups.
- Redis installed on Windows via 3rd-party tool that looked like a 2010 era keygen generator.
- A malware exploited the Redis * what a surprise * and kept killing processes to mine crypto on CPU…
- VPS provider forgot to activate new Windows Server on production and it kept restart for every 30 minutes until I checked the logs and notified them about the missing license.
I left there after 6 months.
The blind determination to use a desktop OS to do a server’s job.
I was hired to implement a CRM for an insurance company to replace their current system.
Of course no documentation or functional requirements where provided, so part of the task was to reverse engineer the current CRM.
After a couple of hours trying to find some type of backend code on the server, I discovered the bizarre truth: every bit of business logic was implemented in Stored Procedures and Triggers on a MSSQL database. There were no frontend code either on the server, users have some ActiveX controls installed locally that accessed the DB.
every bit of business logic was implemented in Stored Procedures and Triggers on a MSSQL database.
Provided the SP’s are managed in a CVS and pushed to the DB via migrations (similar to Entity Framework), this is simply laborious to the devs. Provided the business rules are simple to express in SQL, this can actually be more performant than doing it in code (although it rarely ever is that simple).
There were no frontend code either on the server, users have some ActiveX controls installed locally that accessed the DB.
This is the actual WTF for me.
There was no version control at all. The company that provided the software was really shady, and the implementation was so bad that the (only) developer was there full time fixing the code and data directly in production when the users had any issue (which was several times a day).
The IT guy wasn’t really an IT guy.
A non profit where the Executive director is the only IT person (she’s not tech savvy at all). It’s horrific.
Given the way it works, no one who knows better can easily donate time to a charity. It’s a paperwork and taxation mess to do a good thing.
I have worked as a lead developer for a major print shop with about 100 employees. The entire order workflow for all branches was shoehorned into one order management system that was initially hacked together for one or two users. It was built on a then already ancient OpenERP system and it had a PHP and smarty frontend for the actual order management. All was hosted on one old debian box which was a VM on a Windows server.
At some point in time, MT decided to slap a web shop onto this system, which was part of the main code base. User data were saved into the same database with plain text passwords. That was convenient for the support people: if somebody forgot their password, you could call support and they would read you your password over the phone.
Another thing that made my hair raise in fear, was that for every single order, any working file was retained indefinitely, even in the light of the then-looming GDPR laws. This amounted of terabytes of data, much of it very private.
I worked at the main branch. When a person walked in, there was a desktop computer at the counter. No password protection, an order management screen open by default. People could just walk in and start viewing orders at will. I am not sure whether they did, but we did push MT to at least have manadatory password protection on their PCs.
We make users change their passwords every 90d. And log them out of their devices once a week. I don’t think this adds any security at all. It just reduces productivity (IMO).
Not only does password rotation not add to security, it actually reduces it.
Assuming a perfect world where users are using long randomly generated strong passwords it’s a good idea and can increase security. However, humans are involved and it just means users change their passwords from “Charlie1” to “Charlie2” and it makes their passwords even easier to guess. Especially if you know how often the passwords change and roughly when someone was hired.
Ideally, your users just use a password manager and don’t know any of their credentials except for the one to access that password manager.
If they need to manually type them in, password length should be prioritized over almost any other condition. A full sentence makes a great unique password with tons of entropy that is easy to remember and hard to guess.
SSO with passwordless is the ideal world.
yubikey or similar phishing resistant mfa with biometric is the goal but smartphone number matching is a pretty good
One of my ex employers sold a construction company a six figure “building logistics system” which was just a Microsoft Access file. And the construction dudes had to use a CDMA dongle to remote desktop into a mainframe to open their access files. A travesty.
All Macs
Freight shipping company still running on a custom AS400 application for dispatch. Time is stored as a 4-digit number, which means the nightside dispachers have their own mini Y2K bug to deal with every midnight.
On one hand, hooray for computer-enforced fucking-off every night. On the other hand, the only people who could fix an entry stuck in the system because of this were on dayside.
Apparently, this actually isn’t uncommon in the industry, which I think is probably the worst part to me.
Hehe I was in global shipping IT, we had some ooooold Solaris systems that handled freight halting data flows. Windows Server 98 servers that handled data for very large shippers. Every daylight savings time change something would break.
Coffee shop open WiFi on the same network as the main retail central point of sale system server for several stores.
I’m like 99% sure that goes against PCI compliance, they could get slapped pretty hard with some fines or lose the ability to take cards at all.
https://www.forbes.com/advisor/business/what-is-pci-compliance/
Transport layer security should mean this shouldn’t matter. A good POS shouldn’t rely on a secure network, the security should already be built in cyptographically at the network session layer. Anything else would still have the same risk vector, just a lower chance of happening.
In fact many POS systems happily just take a 4g/5g sim card because it doesn’t matter what network they’re on.
Non IT guy here.
Not all attackers might want access to the POS system. Some might just want to mess around
Couldn’t someone mess with the WiFi or network itself? I’m just figuring someone who doesn’t secure the WiFi is someone who’s going to leave admin passwords on the default and they’d be able to mess with the network settings just enough to bring the system to a halt.
A software shouldn’t use passwords for tls, just like before you use submit your bank password your network connection to the site has been validated and encrypted by the public key your client is using to talk to the bank server, and the bank private key to decrypt it.
The rest of the hygiene is still up for grabs for sure, IT security is built on layers. Even if one is broken it shouldn’t lead to a failure overall. If it does, go add more layers.
To answer about something like a WiFi pineapple: those man in the middle attacks are thwarted by TLS. The moment an invalid certificate is offered, since the man in the middle should and can not know the private key (something that isn’t used as whimsically as a password, and is validated by a trusted root authority).
If an attacker has a private key, your systems already have failed. You should immediately revoke it. You publish your revokation. Invalidating it. But even that would be egregious. You’ve already let someone into the vault, they already have the crown jewels. The POS system doesn’t even need to be accessed.
So no matter what, the WiFi is irrelevant in a setup.
Being suspicious because of it though, I could understand. It’s not a smoking gun, but you’d maybe look deeper out if suspicion.
Note I’m not security operations, I’m solutions and systems administrations. A Sec Ops would probably agree more with you than I do.
I consider things from a Swiss cheese model, and rely on 4+ layers of protection against most understood threat vendors. A failure of any one is minor non-compliance in my mind, a deep priority 3. Into the queue, but there’s no rush. And given a public WiFi is basically the same as a compromised WiFi, or a 5g carrier network, a POS solution should be built with strengths to handle that by default. And then security layered on top (mfa, conditional access policies, PKI/TLS, Mdm, endpoint health policies, TPM and validation++++)
Never trust the network in any circumstance. If you start from that basis then life becomes easier.
Google has a good approach to this: https://cloud.google.com/beyondcorp
EDIT:
I’d like to add a tangential rant about companies still using shit like IP AllowLists and VPNs. They’re just implementing eggshell security.
