ShakyJake
<Donor>
- 7,920
- 19,988
Typically these are medical devices within the customer's network. In one particular instance we need to send user passwords to the device encrypted with the key that is supplied to us by the vendor.
IT/Software career thread: Invert binary trees for dollars.
- Thread starter Traak
- Start date
-
Guest, it's time once again for the massively important and exciting FoH Asshat Tournament!
Go here and give us your nominations!Who's been the biggest Asshat in the last year? Give us your worst ones!
Typically these are medical devices within the customer's network. In one particular instance we need to send user passwords to the device encrypted with the key that is supplied to us by the vendor.
- 16,768
- 7,790
I'm not a security guru if that wasn't already obvious. But this basically sounds like something you can't "solve" and only mitigate. You're violating the basic security principle of having a key and a lock because you have to deliver both at the same time via some guy.
How often does the key need to be accessed? Maybe you could do something where you hide it behind a bunch of mathematical computations, lowering the chance of brute force if someone gets it.
How often does the key need to be accessed? Maybe you could do something where you hide it behind a bunch of mathematical computations, lowering the chance of brute force if someone gets it.
- 7,879
- 507
option 1 or 2 are your best bet, but neither are "great"... doesn't matter as long as the password isn't static on every delivery of the zip/sqlite.
- 7,879
- 507
The CAs are included in most distros, what the servers that can't get to the internet wouldn't be able to do is check a CRL (revocation list) to find out if your cert got stolen. Or hell just create your own CA, send the root public to clients.
alavaz
Trakanon Raider
- 2,003
- 714
I would think that you could include a public key in your DLL that then generates the "encryption" key at install time. As long as it is signed by the public key then your downstream application should trust it for encryption.
- 1
LiquidDeath
Magnus Deadlift the Fucktiger
- 5,049
- 11,930
Not directly job related, but I have some leeway at my company to attend training and I was wondering if anyone knew of any good Las Vegas based training, seminars, or conventions that cover topics related to IT Security, Process Management, Change Management, IT Risk, or Risk Management. I can't find a good resource to search for upcoming events related to those things.
- 7,879
- 507
As
chaos
said, Hacker Summercamp is next week...
BSides LasVegas is Tues/Wed (InfoSec Community driven, talks and networking and fun stuff
Black Hat is Wed/Thur with some training starting before that (InfoSec conf w/ tons of vendors and parties and dinners and shit)
DefCon is Thurs-Sun (Hacker Conf, tons of talks, villages, parties, and meetups)
BSides is sold out unless your company sponsors for a badge (don't do that)
BlackHat is like $2000-$5000 a ticket, but you might be able to find a security vendor to give you a pass if you deal with them. I got one from a vendor, and another for a coworker from a different vendor. I do have to go to their dinner/party, but c'est la vie.
DefCon is $300 (cash, at the door), and is pretty amazing. There is no cap, so do it up. PM me if you decide to go.
OTHERWISE, if you have the money: SANS is having an event in Vegas in September Cyber Security Training in Las Vegas | SANS Network Security 2019 If you want the Platinum-Standard technical security training, this is it. I'll be sending one employee to it,, and possibly two. It's fucking expensive, but I believe it has the value proposition to be worthwhile. Skip 301... just don't do it. Also the 401 test is hard. It's a ton of technical information, but it's awesome to see people pass it.
Recommended courses:
SEC401 - GSEC Certification, good class, base level tech knowledge
SEC504 - GCIH, Incident Handling and Hacking tool. This is one of the instructor's last courses he'll be teaching, and he wrote the textbook and course work for this course. John Strand is amazing and I wish I could take this class from him.
FOR578 - Cyber Threat Intelligence. Robert M Lee runs one of the coolest security companies working to secure industrial controls. He also wrote the book and sort of started the CTI business for private companies.
And there are ton of forensics classes and PenTesting/Red Teaming classes taught by the industry best, the list of instructors and classes is pretty amazing.
The SANS classes are like $6600 each, the exam is $775, and then there is food and lodging. A big part is the after-class stuff, as they have CTFs, NetWars, and competitions along with networking and other events (and a summit like this sometimes has ad-hocs presentations also, but not like SANSFire in DC does).
chaos
said, Hacker Summercamp is next week... BSides LasVegas is Tues/Wed (InfoSec Community driven, talks and networking and fun stuff
Black Hat is Wed/Thur with some training starting before that (InfoSec conf w/ tons of vendors and parties and dinners and shit)
DefCon is Thurs-Sun (Hacker Conf, tons of talks, villages, parties, and meetups)
BSides is sold out unless your company sponsors for a badge (don't do that)
BlackHat is like $2000-$5000 a ticket, but you might be able to find a security vendor to give you a pass if you deal with them. I got one from a vendor, and another for a coworker from a different vendor. I do have to go to their dinner/party, but c'est la vie.
DefCon is $300 (cash, at the door), and is pretty amazing. There is no cap, so do it up. PM me if you decide to go.
OTHERWISE, if you have the money: SANS is having an event in Vegas in September Cyber Security Training in Las Vegas | SANS Network Security 2019 If you want the Platinum-Standard technical security training, this is it. I'll be sending one employee to it,, and possibly two. It's fucking expensive, but I believe it has the value proposition to be worthwhile. Skip 301... just don't do it. Also the 401 test is hard. It's a ton of technical information, but it's awesome to see people pass it.
Recommended courses:
SEC401 - GSEC Certification, good class, base level tech knowledge
SEC504 - GCIH, Incident Handling and Hacking tool. This is one of the instructor's last courses he'll be teaching, and he wrote the textbook and course work for this course. John Strand is amazing and I wish I could take this class from him.
FOR578 - Cyber Threat Intelligence. Robert M Lee runs one of the coolest security companies working to secure industrial controls. He also wrote the book and sort of started the CTI business for private companies.
And there are ton of forensics classes and PenTesting/Red Teaming classes taught by the industry best, the list of instructors and classes is pretty amazing.
The SANS classes are like $6600 each, the exam is $775, and then there is food and lodging. A big part is the after-class stuff, as they have CTFs, NetWars, and competitions along with networking and other events (and a summit like this sometimes has ad-hocs presentations also, but not like SANSFire in DC does).
- 1
- 34,284
- 134,588
I have yet to respond to my plea for help last month, obviously. Will post tmrw.
I do have a quick question.
Pros and cons of an aggregator website.
Also, is paywall/subscription based curation actually viable in the building up of the cpm growth stage or should I skip that and possibly not use it even in the future?
I do have a quick question.
Pros and cons of an aggregator website.
Also, is paywall/subscription based curation actually viable in the building up of the cpm growth stage or should I skip that and possibly not use it even in the future?
chaos
Buzzfeed Editor
- 17,324
- 4,839
Kind of a fucking hail mary here but I don't suppose any of you have ever successfully configured Guacamole in such a way that there's no hardcoded passwords and you don't have to disable NLA on your Windows boxes?
edit: got it. You'd figure this would be well documented but I guess most admins just YOLO it and shut off NLA or hardcode user passwords because this world is a hellscape of pain.
edit: got it. You'd figure this would be well documented but I guess most admins just YOLO it and shut off NLA or hardcode user passwords because this world is a hellscape of pain.
Last edited:
- 1
- 16,768
- 7,790
Is there a way I could "test drive" being a developer? I'm currently a QA manager and while I do a fair bit of programming, mostly in Python, I don't feel like I'm a "real" developer. Is there a way I could see if the grass really is greener without actually hopping the fence? This is a good paying job, I get a 4-5% raise and bonus reliably each year, I don't think there's a risk of layoff outside of the whole company tanking. But I'm also the sole source of income for our family, so rolling the dice on a new job feels a bit reckless. Is there something short of that I could do?
Vinen
God is dead
- 2,790
- 495
The best option I'd say is to speak with your Managerment team to see if you can work your way in that direction.
- 16,768
- 7,790
The company is relatively small, a bit over 100 employees, there's not a whole lot of flexibility in that regard.
One of my minions tried to do that a few times, he's still stuck in QA. It could be he didn't "put in his time" or he just didn't have the skills they wanted, but I know my boss took offense to the request. Kinda like "we hired you to do this, you're doing this".
TJT
Mr. Poopybutthole
- 42,814
- 109,304
I think the greener grass just depends on what kind of stuff you want to code. I imagine you're giving your minions tasks to automate testing in Selenium or something? When I was an SDET I enjoyed the selenium development tasks most of the time. It was the other aspects of QA I disliked. So I moved into performance engineering when the opportunity presented itself. Which was a lot more fun until I just got fed the fuck up with General Motors.
If you just want to code, solve problems and be more involved with the design process then yeah the grass will definitely be greener.
If you just want to code, solve problems and be more involved with the design process then yeah the grass will definitely be greener.
Noodleface
A Mod Real Quick
- 38,287
- 15,129
Well, you could do a couple things I think.
Look up small contracting jobs - there was some app that's eluding me right now that let you take on very small projects for some agreed upon pay. It's kind of hit or miss, but you could try to land some small time stuff and do that in your free time.
You could also just look on indeed or wherever for part time freelancing/contracting work. Yeah, you'd be working a lot more but it would give you an idea if you liked it.
Money aside, you could start working on personal projects and just treat them like a real product. Do source control, document everything, code and test, etc.
I don't think many people here would actively want to be in QA, so I would think you'd be happier doing dev work.
As far as rolling the dice on a new job - I've done it 3 times. It's a little weird and sometimes the transition is rocky, but in the end every move was worth it.
Look up small contracting jobs - there was some app that's eluding me right now that let you take on very small projects for some agreed upon pay. It's kind of hit or miss, but you could try to land some small time stuff and do that in your free time.
You could also just look on indeed or wherever for part time freelancing/contracting work. Yeah, you'd be working a lot more but it would give you an idea if you liked it.
Money aside, you could start working on personal projects and just treat them like a real product. Do source control, document everything, code and test, etc.
I don't think many people here would actively want to be in QA, so I would think you'd be happier doing dev work.
As far as rolling the dice on a new job - I've done it 3 times. It's a little weird and sometimes the transition is rocky, but in the end every move was worth it.
- 1
- 16,768
- 7,790
We use Selenium as a browser driver, but we don't actually do any coding for it in terms of tasks and complex browser control/clicking. Coding up the class that acted as the interface between our test system and Selenium python code was actually one of more fun things I did over the last year. I essentially want more of that. But I also feel like that was kinda routine for a typical developer. Like even if I can get more tasks like that, I'd still be essentially limiting myself.
Monitoring 15+ email lists, nagging developers about shitty commits breaking the build because they ignore their own emails, triaging test results, I could do without that. I know most jobs have their bullshit quota, but essentially being the developers' janitor is really demoralizing. I will say instituting git's pipeline has helped a ton in this regard.
Oh god, release testing, fuuuuuuuck that shit. They want to move to a 6-month release cycle too
- 1