29 or 30?
Iām going to apply at my company to be a security analyst.
There are building a new SOC at our location. Much excite over the next few months.
Good luck!
really.
You installed Arch Linux instead of FreeBSD.
really.
Yes, lowercase r.
really.
I, sir, am outraged.
I guess I get it, though. You probably needed Docker and/or Kubernetes and some games (something FreeBSD could have solved with Jails or slick Linux emulation ) or some third party software that isnāt support.
But srsā¦
really.
I am very excited for you and look forward to you going into detail over your very exploits (heh, pun
intended
)
But, please, sir/madam, I ask you, if you move into InfoSec and find yourself carving out a home and career in that niche, please:
Donāt be just another work generator for those of us that are on the admin side.
The first company I was a sysadmin at the InfoSec team was badass. They reverse engineered malware, added signatures to the firewall, configured the firewall, tracked hackers, fortified servers and networks, and all kinds of crazy things. They were awesome.
Since then
It has been nothing but compliance folk and policy pushers that just generate work for me and my teams. Itās obnoxious and it gets old, and your audit isnāt that important.
I am happy for you, I donāt want to be a negative nancy or debbie downer. But this pattern has been consistent in my last three or four companies. It disgusts me. We should be on the same team not you trying to document me out of being productive.
The magic number for me seems to be no more than 2.
Thatās what infosec is these days. Itās all compliance and audits, all busywork, and everybody hates you for it. Thatās why I stopped doing it 15 years ago, it isnāt sexy pentests anymore.
More specifically?
Iāve got KDE and Gnome on Fedora 30 and havenāt seen any real problems yet?
Thatās not by choice, the customer has requirements. Please sir/madam read the contract that pays the bills that require a compliance baseline or work somewhere that doesnāt. End rant from someone who gets bitched at by IT in the defense industry. Itās like Honda bitching their air bags are a) required b) work as advertised.
All seriousness, my work went from a very collaborative relationship to āus vs themā and itās just not necessary. Itās the fault of both sides where I am at, but itās all unfounded IMO. I take pride in being one of the few sec side that has a great relationship with IT side, but I see so much childish ego on both sides and have gained such a huge understanding of the need for separation of duty or things slip.
I guess that heavily depends on industry and the customer.
Most likely contracts are written to protect both parties and needs the customer to be compliant just as the software company or service provider depending on what exact constellation of IT-department -> customer you are talking about. And im sure that its a complete different thing when it comes to government regulations.
What I mean is this:
GDPR and DSGVO are great and having your customer pay an external company to do pen-testing of the product they bought
BUT
If nothing serious is found other than āit would be good to hide version of used apache in some headersā than it will not help to rush, scream, open tickets, call, send emails and pretend that your users are on the brink of getting hacked2death.
What papadev @AnotherDev is saying is that there is a difference between people pushing somewhat useless paperwork towards you and bind your time to what they need to work on and on the other hand there are hands-on people who actually make things more secure
one party is talking about compliance and policy and guidelines and run around with a lot of paper in theyre hands and then there are some folks typing away verifying signatures and adding response validation where its possible.
technically the same, practically not.
And I would urge anyone who works in SysAdmin land to communicate as clearly as possible:
- If you want to push off work on me / my team, it has to be technical
- if it isnt technical, its not my to do but im happy to help you
- if you need my to write up a guideline / policy / compliance you need to go the CIO or someone like that
- if there is no other way, lets talk about how to do this efficiently with my superior and find a fitting solution for everybody involved.
I really like working with IT-Sec people or SecOps or whatever is the cool new name that position has this quarter but non-tech people that always talk about sheets of paper with some basic guidelines bore me to death and that stuff is only for the bureaucracy to satisfy the need that it is written down somewhere. how the infrastructure is actually managed, updated, patched, configured, fortified and tested differs wildly.
Closing statement:
Let tech-people do the tech stuff
Let !?-people do the paperwork stuff
On a bi-weekly basis bring those together for a quick meeting and weāre done.
thank you for attending my TEDx talk.
Nice! Iām in on that.
Thatās actually next on my list of things to try, but I really need to get some work done, so I donāt have time to fuck about with learning a new OS quite yet.
Doesnāt like i3, for some reason. really didnāt like dwm. Kernel 5.0 caused major performance issues in my VMs and I had issues with ZFS on that one as well.
KDE works great, Gnome works ehhh
ive had exactly the opposite of this experience, but then again Iām not adept to KDEās quirks
I pushed through the KDE quirks and really enjoy it now.
I tried using it and it wasnāt bad, I just couldnāt get to settings in places where I thought they should be. It was confusing. Gnome on the other hand was so simple I was begging for there to be more to it.
I really like the mint implementation of cinnamon. Every other distro with cinnamon just never seems to do it for me.
My mom is on mint with cinnamon and I havenāt heard a single complaint from her about it. I installed chrome and the only thing she has mentioned to me is that she has to enter her password more often but she doesnāt mind this much. shit just werks yo.
Small note:
That is the same thing, General Data Protection Regulation (english) = Datenschutz-Grundverordnung (german)
Linux Mint is pretty great honestly. Iām debating on installing this for my Grandma when I upgrade her computer from spinning rust to an SSD or with Manjaro Deepin. Will see which one she likes most
Correct, I tried to appeal to our english and german speaking audience.
Usually it comes out of some audit requirement.
Whether or not you are actually secure you need to demonstrate/document/āproveā that you have taken the necessary steps and/or done due diligence to try and be secure as much as is practicable.
So thatās why things can be so paperwork heavy.
And yes, from the tech side its a complete waste of fucking time, but just as IT/dev/security guys donāt like it, neither do the business peeps who have to answer to the board/shareholders/etc.
Its an unfortunate fact of life that once your company gets big enough, this sort of paperwork overhead bullshit becomes a thing.
Nobody likes it, but its a āwe donāt want to be suedā thing.
If there is documented policy/etc. in place then a breach is perhaps considered unfortunate human error or lack of adherence to procedure. If there is no policy or documentation in place, it is more likely to be considered gross negligence on behalf of the company which attracts much more severe repercussions.
Weāre going through this shit where i work at the moment, driven by business auditors.
It can also protect the staff involved too. If youāve raised/documented concerns and the business side says āok, noted but we arenāt paying to fix it because management considers it to be low riskā then your ass is safe from a legal perspective.
I agree with both of you. I hate everything about KDE. EXCEPT, their composite manager and their utilities. I hate their settings menu, I hate their systray, I hate their application menu, I hate, I hate, I hate. I could go on. I love the UI/UX of Gnome3.* I love the workflow of Gnome3, I love the shortcuts, tools, etc. But damn the screen rippling and screen tearing gets, freaking, old. Their composite manager sucks. Until it gets worked out, Iām sticking with KDE or i3 + compton.
* I still laugh myself to sleep frequently reflecting on the Windows 8 days. People were OUTRAGED at Metro and tiles. SO much so that more people than Iāve seen (personally) jumped from Windows to Linuxā¦ To which they used Gnome3, primarily, which had the same layout and hot corners as Windows 8.
Chuckle. Chortle. Lulz. Guffaw.
From a systems administration perspective, I donāt do either. I install basic X.org if I need X11 forwarding, but I usually disable it and restart sshd when Iām done.
I sense a disturbanceā¦
Lots of DE talk that goes in the Linux User Group.
someone find me a FC switch with 12 ports or less that I can run at home.