Was talking to my cousin yesterday and he does big government adjacent security contracts and he said no one is using yubikeys because of cost. If they need hardware tokens due to gov compliance they buy the same smart cards the gov uses. Otherwise they don’t bother with hardware tokens.
TLDR: I don’t think Yubikey gives much if any discount and the cost of implementing hardware tokens on top of that makes in a non-starter for many business.
I commend you for your efforts. Whatever they are paying you, it is not enough. You better get positive job references for life!
Also, everything thing that you just went through shows how to not do things properly. As you move up in the world remember these as anecdotes when someone tells you to do something dumb in place of convenience.
After today’s security incident, I got a feeling that I’m going to get a blank check for yubikeys to enroll the C-Suite into Google Advanced Protection programme
Today I took down most of our entire finance backend for like 5 minutes.
Turns out that the previous IT designed most things to stop working if his workspace account was disabled, but doing a quick ownership transfer to a different workspace account managed to get things back up running.
As I needed to do some deployment tasks, which required some files only IT had, I also took ownership of the whole GDrive. Turns out that most of the installers, documents and ISOs were removed, and all that was left were empty folders.
The more I’m within this company, the more it feels like the previous IT guy was either so malicious that he rigged up things to sabotage the new sysadmin, or he was THAT incompetent.
Its likely just laziness. You got things working and you should have taken steps to keep it working but its fine right now so we’ll deal with it later when an actual problem comes….
I once spent about a day and a half trying to figure out why I couldn’t get my InfiniBand to link up. Different Mellanox drivers, different QSFP transceiver…
Turns out it helps if you actually plug the other end of the fiber into the switch on the other side of the house.
I once plugged a usb cable into the ethernet port of a laptop and kept dozens of people waiting for an hour while I tried to figure it out. Once I did, I swapped the cable and claimed the other 2 I had tried were broken…
Think of the OSI model as be “how tricky the problem is to identify” but in a defcon sort of way where the lower numbers are more tricky.
Layer 1: goddamn it, I spent 4 days looking at configs.
Layer 8: we’ve designed everything and it’s waiting to be implemented, but it’s waiting on CTO sign-off.
It’s the biggest layer I’ve found out as I’m in month 4 of trying to get a system online that would have taken a few hours to actually deploy. But hey, layer 8 pays the most too…