Stop Putting Your Passwords Into Random Websites (Yes, Seriously, You Are The Problem)
31 points by rw-rw-rw-
31 points by rw-rw-rw-
tl;dr online JSON formatting tools have a share feature that makes the content public (?!) and there are a lot of secrets in there and evidence bad actors are scanning them.
Incredibly grating prose, suggested rant.
Infosec is such a toxic sinkhole. Most of it is like this, berating people who don't know better without offering any solutions. It is the place for the worst persons among us.
The authors don't even question why these sites would have a public registry of shared links. Yes, users should have mental alarm bells ringing before saving secrets on a third party site, but surely a "Recent Links" page is just a silly feature to have?
To be frank; if you don't have the instinct not to do this, you should be disqualified from ever operating or developing software solutions again.
I quite often find that people making these sort of mistakes are often doing so because they're working around another person's security instinct. For instance, I personally wouldn't fall for this trip because I'd just use jq to format the JSON. However, at a previous job, I didn't have permission to install jq, because "running executables that haven't been vetted by the security team is insecure". Yes, this applied to developers. Yes, the executables compiled by the developer still fell under this rule.
Luckily, the security team had vetted the java executable. Now, they had rejected javac compiler, as it would allow for compiling arbitrary code, so I couldn't write new Java code. I could (and did) download the Clojure REPL and write my own code in there. My coworkers, though, likely didn't want to learn a whole other language and would just paste the json into a website with their security vetted browser. Out of the two of us, I'm the one more likely to get in trouble for "bypassing security protocols."
No amount of good security instincts will help when the daily work process requires ignoring those instincts. As another quick example, the mandatory phishing training with my current employer requires clicking on an insanely sketchy link ( https://employer.weirdurl.wrongCountryCode/longHexString ) and putting our user name and password in the prompt at the end of the link. This is not a test of our ability to recognise a phishing email; it's the process of accessing the mandatory training materials. Since the training is mandatory, following your instincts (or the actual training materials) is grounds for dismissal.
After being told fifty times a week that our instincts are wrong, it shouldn't be a surprise that those instincts get ignored the one time that they are right.
the mandatory phishing training
At a previous employer, we had those annoying "This email is outside your organization" banners on all external emails - naturally they disabled that when it came to "phishing training", rendering the entire practice moot.
Luckily, the security team had vetted the java executable. Now, they had rejected javac compiler, as it would allow for compiling arbitrary code, so I couldn't write new Java code.
How was it possible to do your job? What happened to the code you wrote and compiled but couldn’t run?
Before I begin, I should mention that we weren't doing Java development - the Java interpreter just happened to be a way to get around a specific problem. Visual Studio was supported by the security policy, although the binaries it produced were not.
The official statement by IT security was:
The six week turn around time was considered encouragement to check our source for bugs before compiling and submitting.
As you imagine, in practice, this was obviously unworkable. Thankfully, this was during the days of Windows XP and I just broke the administrator account on my machine and the server so I could install and run whatever I wanted. My boss knew I'd done that, but he cared far more about getting the work done than about upsetting the security team.
The whole Clojure debacle came during the later days of my employment. We got in a new machine with a GPU compute card that we running Windows 7. My old tricks didn't work for getting admin access under Windows 7, so that lead to the whole trick with writing the code in Clojure with the ClojureCL library.
All of this is rather another example of my original point. I spent eight years running an administrator account as my daily driver because my user accounts were locked down to the point of being unusable. I would never do this on my personal machines, but I was forced to ignore my own security instincts in order to work around the instincts of the security team.
It’s incredible to me that security teams get away with operating like this, and that it’s actually pretty common.
Not that I have any numbers to quote on this, but I do have the feeling that universities are not affected more by cybercrime/viruses than corporations even though the central university IT services AFAIK seldomly administer indiviudal people's PCs. Which would mean much of this "security" is actually ineffective and unnecessary.
Ah this reminds me of the days at my old employer where we had administrative access to our machines but accessing the Internet required going through a proxy which would intercept all HTTPS traffic and didn't allow access to half of the documentation of our toolchain (category "freeware" was blocked, and e.g. cppcheck was categorized as such). But at least LinkedIn worked, I guess (out of all the social networks).