I'm amused that this is still around:
http://igopolis.myminicity.com/
(If y'all click on the link, IGopolis will get larger.)
Thu Apr 19 2018 09:49:19 EDT from fleeb
"Your flash player is outdated."
Gads.
How did you know? Yikes!!
Heh... the hint is in the word 'flash'.
The cool kids these days use 'HTML5'. Because it's all caps, not pronouncable, and isn't owned by anybody.
But ironically, to complete an evaluation on data security, I had to disable two security features of my browser: popup blocking and Flash blocking.
\
2018-05-31 00:52 from IGnatius T Foobar
This week I had to go complete a "mandatory security training"
crapfest. I always just skip the presentations and fly through the
test, since it's all pretty old and/or obvious stuff.
But ironically, to complete an evaluation on data security, I had to
disable two security features of my browser: popup blocking and Flash
blocking.
\
There's a person in my company who argues we need mandatory security training, and that for people who don't take it, it should be a "compensation limiting event".
I've decided to create a company drinking game. GDPR and "compensation limiting event" are two of my favorites.
Heh... security...
Most people say 'training' and mean 'sit at a boring set of web pages or video and press shiny buttons at statements you'll just as quickly forget.'
Few people mean 'have the security team attempt to break into their own networks through phishing schemes or other pentesting techniques and drag the folks who enabled any found breaches into a brief training session that demonstrates just what the fuck happened so it becomes real to them.'
Becuase the latter involves real, serious effort, while the former is just a bandaid to a larger problem.
fleeb - being made an example of is always a life lesson.
There's a person in my company who argues we need mandatory security
training, and that for people who don't take it, it should be a
"compensation limiting event".
I've decided to create a company drinking game. GDPR and
"compensation limiting event" are two of my favorites.
I don't know about "compensation limiting event", but we now have a formal GDPR training class which is being referred to as "mandatory." This covers things like what is PII, how to handle it and how not to handle it. "Mandatory", I assume to mean a career-limiting event rather than a compensation-limiting event.
This is not to be confused with security training. Nobody understands security in this industry, even if they've been trained on it.
fleeb - being made an example of is always a life lesson.
See, there's always another bug. So busting heads and trying to make examples just gets you ignored.
I wasn't so much thinking that the folks would be paraded around and laughed at as much as some shadowy and mildly scary component of the company approaches you with Very Bad News that might act as a kind of built-in incentive not to repeat mistakes.
'cause folks make mistakes, and you tend to learn best from those mistakes, so let's find them.
LS is right, though. It's frightening how ignorant even the folks trained in cyber security really are about cyber security.
I get the impression that, for hackers, the current state of affairs is a bit like shooting fish in a barrel.
To be fair, I don't consider myself to be especially great at it, either.
I've done port scans, used meterpreter to break into unpatched flavors of Windows, and even broken into a ridiculously old Linux machine, but they were all scripted, composed environments built for education, not live situations in the real world (because, y'know, I'm not interested in jail time, and I'm more interested in helping people learn about this stuff).
But when I see folks earning an income as a cyber security expert, yet can't even work out how to find the user's within a Windows operating system (or Linux, for that matter), or other basic sysadmin tasks, I wonder what exactly *is* a cyber security expert.
We hire interns who know more than these alleged cyber security experts.
(Hint: when will the bubble burst in this brave new field, and who will find themselves still standing?)
Too many people in "security" are nothing more than auditors who have taken some courses.
Most people say 'training' and mean 'sit at a boring set of web pages
or video and press shiny buttons at statements you'll just as quickly
forget.'
You have to understand their objective.
It isn't "train people to use technology in a secure way."
Rather, it is "check the box that shows we did security training, so we can't be held negligent for lack of training if there's a breach."
Yeah, that's the impression I have.
Until the industry standard changes such that the quality of that training is part of accountability, nobody will actually care.
This will likely require a successful lawsuit.
Here's a fun little story of domain hijacking.
Phishing? Forgery? Breaking into the registry?
Nope ... just break into the owner's home and rob the domain at gunpoint.
[ https://www.bleepingcomputer.com/news/legal/dude-gets-20-years-in-the-slammer-for-attempting-to-hijack-domain-at-gunpoint/ ]
Ahh yes...
If you visit the channel you are required to leave one of ten comments outlined below:
1) "THEY SHOULD RAISE THE BRIDGE!!!"
2) "I must be the first person to suggest lowering the road!"
3) "You need a camera on the other side of the bridge"
4) "Can opener!"
5) "Hope they got the extra insurance!"
6) "Hey did you notice (insert something that everyone noticed)"
7) "I am from some country in Europe and bla bla bla bla bla."
8) Something about traffic citations.
9) "Box truck to flatbed!!"
10) "That will buff out!"
11) CDL/Know your height referance.
12) Must be a member of some political party.
13) Must be an illegal
If you visit the channel you are required to leave one of ten
comments outlined below:
...for moderately large values of ten.
That was a pretty cool video to read the comments on, for two reasons:
1. I noticed you there
2. Someone actually found the damaged truck afterwards
I didn't know the 11'8" bridge was in Durham NC. I travel to that area from time to time. Next time I'm there with a rental car (not a 12' high rental truck) I'm going to have to go see it.
"Despite the image of the Scrubbing Bubbles mascots, the product does not actually feature bubbles with bristles, which could potentially cause a number of problems with disposal."
Thanks, Wikipedia. We needed to be told that.
Mon Aug 27 2018 09:39:03 AM EDT from IGnatius T FoobarI didn't know the 11'8" bridge was in Durham NC. I travel to that area from time to time. Next time I'm there with a rental car (not a 12' high rental truck) I'm going to have to go see it.
I pass close to Durham now and again but I don't want to go out of my way to see the bridge.
I found another channel you might like, it is the edited video taken from the many exterior security cameras of a web/cloud hosting company's very small parking lot. Apparently there are several bars located nearby and people park their vehicles in the private parking lot. The parking lot has several "No Parking" signs. In his spare time one of the employees makes videos of the vehicles as they pull into the parking area, the video shows the occupants of the vehicles and what they are doing before they leave the parking lot. He edits the tow truck towing the vehicles and the reaction of the car's occupants when they return to find their car has been towed. I am amazed at how quickly a tow truck can grab a vehicle.
https://www.youtube.com/user/gtoger/videos