29 or 30?

I’m going to apply at my company to be a security analyst.

There are building a new SOC at our location. Much excite over the next few months.

Good luck!

really.

You installed Arch Linux instead of FreeBSD.

really.

Yes, lowercase r.

really.

I, sir, am outraged.

I guess I get it, though. You probably needed Docker and/or Kubernetes and some games (something FreeBSD could have solved with Jails or slick Linux emulation ) or some third party software that isn’t support.

But srs…

really.

I am very excited for you and look forward to you going into detail over your very exploits (heh, pun

intended

)

But, please, sir/madam, I ask you, if you move into InfoSec and find yourself carving out a home and career in that niche, please:

Don’t be just another work generator for those of us that are on the admin side.

The first company I was a sysadmin at the InfoSec team was badass. They reverse engineered malware, added signatures to the firewall, configured the firewall, tracked hackers, fortified servers and networks, and all kinds of crazy things. They were awesome.

Since then

It has been nothing but compliance folk and policy pushers that just generate work for me and my teams. It’s obnoxious and it gets old, and your audit isn’t that important.

I am happy for you, I don’t want to be a negative nancy or debbie downer. But this pattern has been consistent in my last three or four companies. It disgusts me. We should be on the same team not you trying to document me out of being productive.

The magic number for me seems to be no more than 2.

That’s what infosec is these days. It’s all compliance and audits, all busywork, and everybody hates you for it. That’s why I stopped doing it 15 years ago, it isn’t sexy pentests anymore.

More specifically?

I’ve got KDE and Gnome on Fedora 30 and haven’t seen any real problems yet?

That’s not by choice, the customer has requirements. Please sir/madam read the contract that pays the bills that require a compliance baseline or work somewhere that doesn’t. End rant from someone who gets bitched at by IT in the defense industry. It’s like Honda bitching their air bags are a) required b) work as advertised.

All seriousness, my work went from a very collaborative relationship to ‘us vs them’ and it’s just not necessary. It’s the fault of both sides where I am at, but it’s all unfounded IMO. I take pride in being one of the few sec side that has a great relationship with IT side, but I see so much childish ego on both sides and have gained such a huge understanding of the need for separation of duty or things slip.

I guess that heavily depends on industry and the customer.

Most likely contracts are written to protect both parties and needs the customer to be compliant just as the software company or service provider depending on what exact constellation of IT-department -> customer you are talking about. And im sure that its a complete different thing when it comes to government regulations.

What I mean is this:

GDPR and DSGVO are great and having your customer pay an external company to do pen-testing of the product they bought

BUT

If nothing serious is found other than “it would be good to hide version of used apache in some headers” than it will not help to rush, scream, open tickets, call, send emails and pretend that your users are on the brink of getting hacked2death.

What papadev @AnotherDev is saying is that there is a difference between people pushing somewhat useless paperwork towards you and bind your time to what they need to work on and on the other hand there are hands-on people who actually make things more secure

one party is talking about compliance and policy and guidelines and run around with a lot of paper in theyre hands and then there are some folks typing away verifying signatures and adding response validation where its possible.

technically the same, practically not.

And I would urge anyone who works in SysAdmin land to communicate as clearly as possible:

• If you want to push off work on me / my team, it has to be technical
• if it isnt technical, its not my to do but im happy to help you
• if you need my to write up a guideline / policy / compliance you need to go the CIO or someone like that
• if there is no other way, lets talk about how to do this efficiently with my superior and find a fitting solution for everybody involved.

I really like working with IT-Sec people or SecOps or whatever is the cool new name that position has this quarter but non-tech people that always talk about sheets of paper with some basic guidelines bore me to death and that stuff is only for the bureaucracy to satisfy the need that it is written down somewhere. how the infrastructure is actually managed, updated, patched, configured, fortified and tested differs wildly.

Closing statement:

Let tech-people do the tech stuff
Let !?-people do the paperwork stuff

On a bi-weekly basis bring those together for a quick meeting and we’re done.

thank you for attending my TEDx talk.

Nice! I’m in on that.

That’s actually next on my list of things to try, but I really need to get some work done, so I don’t have time to fuck about with learning a new OS quite yet.

Doesn’t like i3, for some reason. really didn’t like dwm. Kernel 5.0 caused major performance issues in my VMs and I had issues with ZFS on that one as well.

KDE works great, Gnome works ehhh

ive had exactly the opposite of this experience, but then again I’m not adept to KDE’s quirks

I pushed through the KDE quirks and really enjoy it now.

I tried using it and it wasn’t bad, I just couldn’t get to settings in places where I thought they should be. It was confusing. Gnome on the other hand was so simple I was begging for there to be more to it.

I really like the mint implementation of cinnamon. Every other distro with cinnamon just never seems to do it for me.

My mom is on mint with cinnamon and I haven’t heard a single complaint from her about it. I installed chrome and the only thing she has mentioned to me is that she has to enter her password more often but she doesn’t mind this much. shit just werks yo.

Small note:

That is the same thing, General Data Protection Regulation (english) = Datenschutz-Grundverordnung (german)

Linux Mint is pretty great honestly. I’m debating on installing this for my Grandma when I upgrade her computer from spinning rust to an SSD or with Manjaro Deepin. Will see which one she likes most

Correct, I tried to appeal to our english and german speaking audience.

Usually it comes out of some audit requirement.

Whether or not you are actually secure you need to demonstrate/document/“prove” that you have taken the necessary steps and/or done due diligence to try and be secure as much as is practicable.

So that’s why things can be so paperwork heavy.

And yes, from the tech side its a complete waste of fucking time, but just as IT/dev/security guys don’t like it, neither do the business peeps who have to answer to the board/shareholders/etc.

Its an unfortunate fact of life that once your company gets big enough, this sort of paperwork overhead bullshit becomes a thing.

Nobody likes it, but its a “we don’t want to be sued” thing.

If there is documented policy/etc. in place then a breach is perhaps considered unfortunate human error or lack of adherence to procedure. If there is no policy or documentation in place, it is more likely to be considered gross negligence on behalf of the company which attracts much more severe repercussions.

We’re going through this shit where i work at the moment, driven by business auditors.

It can also protect the staff involved too. If you’ve raised/documented concerns and the business side says “ok, noted but we aren’t paying to fix it because management considers it to be low risk” then your ass is safe from a legal perspective.

I agree with both of you. I hate everything about KDE. EXCEPT, their composite manager and their utilities. I hate their settings menu, I hate their systray, I hate their application menu, I hate, I hate, I hate. I could go on. I love the UI/UX of Gnome3.* I love the workflow of Gnome3, I love the shortcuts, tools, etc. But damn the screen rippling and screen tearing gets, freaking, old. Their composite manager sucks. Until it gets worked out, I’m sticking with KDE or i3 + compton.

* I still laugh myself to sleep frequently reflecting on the Windows 8 days. People were OUTRAGED at Metro and tiles. SO much so that more people than I’ve seen (personally) jumped from Windows to Linux… To which they used Gnome3, primarily, which had the same layout and hot corners as Windows 8.

Chuckle. Chortle. Lulz. Guffaw.

From a systems administration perspective, I don’t do either. I install basic X.org if I need X11 forwarding, but I usually disable it and restart sshd when I’m done.

I sense a disturbance…

Lots of DE talk that goes in the Linux User Group.

someone find me a FC switch with 12 ports or less that I can run at home.