this post was submitted on 26 Jul 2023
70 points (92.7% liked)

politics

19149 readers
3602 users here now

Welcome to the discussion of US Politics!

Rules:

  1. Post only links to articles, Title must fairly describe link contents. If your title differs from the site’s, it should only be to add context or be more descriptive. Do not post entire articles in the body or in the comments.

Links must be to the original source, not an aggregator like Google Amp, MSN, or Yahoo.

Example:

  1. Articles must be relevant to politics. Links must be to quality and original content. Articles should be worth reading. Clickbait, stub articles, and rehosted or stolen content are not allowed. Check your source for Reliability and Bias here.
  2. Be civil, No violations of TOS. It’s OK to say the subject of an article is behaving like a (pejorative, pejorative). It’s NOT OK to say another USER is (pejorative). Strong language is fine, just not directed at other members. Engage in good-faith and with respect! This includes accusing another user of being a bot or paid actor. Trolling is uncivil and is grounds for removal and/or a community ban.
  3. No memes, trolling, or low-effort comments. Reposts, misinformation, off-topic, trolling, or offensive. Similarly, if you see posts along these lines, do not engage. Report them, block them, and live a happier life than they do. We see too many slapfights that boil down to "Mom! He's bugging me!" and "I'm not touching you!" Going forward, slapfights will result in removed comments and temp bans to cool off.
  4. Vote based on comment quality, not agreement. This community aims to foster discussion; please reward people for putting effort into articulating their viewpoint, even if you disagree with it.
  5. No hate speech, slurs, celebrating death, advocating violence, or abusive language. This will result in a ban. Usernames containing racist, or inappropriate slurs will be banned without warning

We ask that the users report any comment or post that violate the rules, to use critical thinking when reading, posting or commenting. Users that post off-topic spam, advocate violence, have multiple comments or posts removed, weaponize reports or violate the code of conduct will be banned.

All posts and comments will be reviewed on a case-by-case basis. This means that some content that violates the rules may be allowed, while other content that does not violate the rules may be removed. The moderators retain the right to remove any content and ban users.

That's all the rules!

Civic Links

Register To Vote

Citizenship Resource Center

Congressional Awards Program

Federal Government Agencies

Library of Congress Legislative Resources

The White House

U.S. House of Representatives

U.S. Senate

Partnered Communities:

News

World News

Business News

Political Discussion

Ask Politics

Military News

Global Politics

Moderate Politics

Progressive Politics

UK Politics

Canadian Politics

Australian Politics

New Zealand Politics

founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] foggy 17 points 1 year ago (6 children)

I frequently wonder how many white house staffers have accounts that are currently compromised.

[–] just_another_person 12 points 1 year ago (5 children)

Not just that, but devices as well. First rule in Black Hat is keeping your mouth shut when you find an exploit. With practically everyone now having phones on them 24/7, or insecure internet connected devices at home, the attack surface area is everywhere. Almost a guarantee that government employees are targeted specifically for attack, and a large number are, or have been compromised at some point.

The only way to help prevent such things is force government employees to abide by specific security practices for devices, which is practically impossible.

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago) (4 children)

I work for a small medical firm nobody has ever heard of. Almost all our employees are targeted within a week of hiring on their personal devices with spearfishing trying to get company creds. It's insane.

[–] ooboontoo 3 points 1 year ago (1 children)

It sounds like they have real-time access to the company directory. Might want to review the logs of accounts with permissions and access to your domain controller.

[–] foggy 2 points 1 year ago* (last edited 1 year ago) (1 children)

Lmao right?! This happened at a company I worked for very briefly. They... were storing their ssl cert on an ftp server... And that's just the shortest, most damning sentence I can think of to describe how unsecure the whole operation was. They also had govt contracts, so yeah, pwnd.

[–] LrdThndr 1 points 1 year ago

I posted about this a while back on that other double-d site, but I used to be an outsourced it guy for a bunch of companies.

One of my clients was a small local collection agency. Their network was aged and falling apart, we we sold them a full network update - new server, new infra, new computers. They even ordered the newest version of their agency software.

We got it all set up in parallel to the existing setup, and were at the point of installing the server app, but for the life of me, I couldn’t get the damned thing to work.

So I called support and told them the issue. The support guy said “Oh, yeah. That’s a known issue. You just need to make anybody who needs to use the software a domain admin, and you have to leave the admin panel on the server app logged in at all times with the screen unlocked.”

I sat in stunned silence for a few seconds contemplating what this idiot just told me.

“If that’s a requirement to run this software, then go ahead and transfer me to whoever I need to talk to to get a refund on this, because you’ve got to me out of your fucking mind. There’s not a chance in hell I’m going to do that on a server that handles peoples’ financial data.”

He stammered for a minute then transferred me to someone who apparently had seen a computer before, and they were able to fix the issue — a cache directory just needed write permission.

But the part that bothers me is… how many other people did he tell that to and they just blindly followed those directions? If I had told the manager or owner they needed to call, they would have just done it with no reservation.

In small orgs with no IT, where the tech stuff is just done by a nephew or a staffer that’s “good with computers,” there’s zero thought given to security. I’d seen it with dozens of small companies - they’d done their own IT work forever, and had just called me in to address a thorny problem, and I find that their database is open to the world, or their whole org runs off an access database file sitting on an XP home edition computer somebody brought in.

It’s fucking terrifying.

load more comments (2 replies)
load more comments (2 replies)
load more comments (2 replies)