|
|
Sunshine is overrated.
You'll note that there still isn't a sarcasm emoji.
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
Extremely.
Give me my 6 months of twilight thank you very much, a double-double will do in place.
|
|
|
|
|
Don't forget myself and Chris Losinger... he's still lurking around here at times too.
Jeremy Falcon
|
|
|
|
|
Mustafa Ismail Mustafa wrote: How is everyone?
Faarrrkkkk you for forgetting me ya bastard.
Michael Martin
Australia
"I controlled my laughter and simple said "No,I am very busy,so I can't write any code for you". The moment they heard this all the smiling face turned into a sad looking face and one of them farted. So I had to leave the place as soon as possible."
- Mr.Prakash One Fine Saturday. 24/04/2004
|
|
|
|
|
Hahaha, you're probably the only one I'll take an insult from Mick and SMILE about it
Hanging out with Rajesh much these days?
|
|
|
|
|
Mustafa Ismail Mustafa wrote: Hanging out with Rajesh much these days?
No, the bastard moved to Melbourne.
Michael Martin
Australia
"I controlled my laughter and simple said "No,I am very busy,so I can't write any code for you". The moment they heard this all the smiling face turned into a sad looking face and one of them farted. So I had to leave the place as soon as possible."
- Mr.Prakash One Fine Saturday. 24/04/2004
|
|
|
|
|
Welcome back, Mustafa !
cheers, Bill
«There is a spectrum, from "clearly desirable behaviour," to "possibly dodgy behavior that still makes some sense," to "clearly undesirable behavior." We try to make the latter into warnings or, better, errors. But stuff that is in the middle category you don’t want to restrict unless there is a clear way to work around it.» Eric Lippert, May 14, 2008
|
|
|
|
|
Ta Bill!
Its old home week here in CP as I see it
|
|
|
|
|
One of our customers hired some party to do a penetration test of our software throughout the week.
This morning half of our database backups failed.
Then, early afternoon, we got an email from one of the users, the system was pretty slow.
After that came a phone call, system seemed to be slow.
Checked out the server, nothing interesting going on.
Another email and then a phone call, things got slower and slower.
Turned out a DDoS was part of the friggin' penetration test, but only after we white listed their IP address.
Good thing they didn't tell anyone they were doing that.
Anyone here could have told them our server wasn't going to survive a DDoS
When we found out our firewall was getting a beating, remembered something about a pen test and called those guys they just yanked out their network cable and all went back to normal
|
|
|
|
|
Penetration Test? Are you referring to a wedding night?
Ravings en masse^ |
---|
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein | "If you are searching for perfection in others, then you seek disappointment. If you are seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010 |
|
|
|
|
|
We have a security test once a year. The rule number one: Do not give away nothing... All we give to the company doing the test is the address of the site...
Skipper: We'll fix it.
Alex: Fix it? How you gonna fix this?
Skipper: Grit, spit and a whole lotta duct tape.
|
|
|
|
|
Yeah, we did at first.
They tested and everything.
Don't know why they needed to be white listed after that.
And I certainly don't know why they would DDoS us after that
|
|
|
|
|
Do I understand correctly that the customer uses your services and let their penetrators use their systems to access your servers?
veni bibi saltavi
|
|
|
|
|
It's the French Way - Maginot Line Security Protocols.
Ravings en masse^ |
---|
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein | "If you are searching for perfection in others, then you seek disappointment. If you are seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010 |
|
|
|
|
|
That was my first thought too, but he mentioned that someone "remembered" something about a Pen Test, so it was clearly run through their operations people.
I was about to advocate emailing every cert provider to yank everything they have and suing the hell out of them
"There are three kinds of lies: lies, damned lies and statistics."
- Benjamin Disraeli
|
|
|
|
|
That is not correct.
It's their product on their servers. We only made it, change it, and maintain it (software and server)
|
|
|
|
|
Sander Rossel wrote: only after we white listed their IP address That's like handing over your house keys and the alarm code for a burglary test.
Block all IPs used by the company, tell them to try again, and then conveniently forget to unblock them, like, forever.
If they want to send results, they can do it by snail mail.
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
For an authorized test in depth it actually makes sense. You want to test your defenses at multiple levels, not just assume that because the tester was unable to break the outermost layer of your defenses that everything behind it is equally well fortified. This is especially true if your outmost layers of defense are outsourced to a big security as a service company but you've got internally build stuff within.
To reuse your analogy, it's more like testing that the motion detectors/etc in the alarm system will work, and that it's capable of calling for help, if someone were to kick in your front door without having to call a carpenter because the tester destroyed your entrance as the first step in his testing of the alarm system.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
Exactly.
They did all sorts of tests without being white listed.
But doing a DDoS is a weird choice for a "test", especially after being white listed. On a production system. Without communicating.
|
|
|
|
|
I don't know how you can be so calm about it.
I'd be absolutely %$#@#$% livid if some moron pulled a stunt like that.
"Oh, can you whitelist us, so we can hit your production system with a DDoS attack -- because that will make it look as though we're doing a great job, and we can charge more consultancy fees?"
@rses would be soundly and appropriately kicked, contracts would be torn up, and threats of civil action would be issued.
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
Mark_Wallace wrote: I don't know how you can be so calm about it. I'm just a programmer who picked up the phone at the wrong time.
I haven't worked on that project for about half a year, so I have little to do with it
Besides, no harm done, except that their system was slow and customers complained.
And the most important part: it's not our fault
The customer I have been working for automatically kicked me out of their system (because I failed to do something which I cannot do and which I also didn't know anyone had to do) so I can't log in to their systems anymore. Been trying to get my access back for two weeks now, but the helpdesk can't do anything without approval of a manager (who I don't even know), the manager shouted "approved!" in a mail, but things don't work like that because it has to be formal. I can get it formal by using a tool I don't have access to. Then I get emails in a mailbox I can't access, I told them, but they can't help it because that's the email address the system sends it to. Then support changed all my passwords (to the first password any hacker would probably guess), but that didn't give me any additional access whatsoever. And now, of course, the helpdesk is not responding at all anymore
Actually, a DDoS doesn't sound so bad at all
|
|
|
|
|
heh.
Can somebody please, please, PLEASE kill the system?
Lemme guess: SAP and Lotus Notes?
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
Mark_Wallace wrote: Lemme guess: SAP and Lotus Notes? Nope, not even close (really, I've never worked with either).
Unfortunately, I'm sworn to secrecy
|
|
|
|
|
In the same spirit as my other post on the thread; if done not stupidly vs what actually happened a DDOS type attack is of value for a pen test.
The most important part of doing it the right way is to coordinate with the company being tested to scale its size so the packet flood (or etc) stops just short of causing performance problems (ie only using up most of the spare bandwidth/server capacity). The point of this isn't just to see if a site is as DDOS hardy as the owners think it is (especially if they have some level of protection in place); but because real world attacks can hide themselves in a DDOS. With the immediately visible DDOS distracting both human operators and camouflaging attack/exfiltration/etc packets from security analytics tools that are looking for more sophisticated attacks.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|