[a / b / c / d / e / f / g / gif / h / hr / k / m / o / p / r / s / t / u / v / vg / vm / vmg / vr / vrpg / vst / w / wg] [i / ic] [r9k / s4s / vip / qa] [cm / hm / lgbt / y] [3 / aco / adv / an / bant / biz / cgl / ck / co / diy / fa / fit / gd / hc / his / int / jp / lit / mlp / mu / n / news / out / po / pol / pw / qst / sci / soc / sp / tg / toy / trv / tv / vp / vt / wsg / wsr / x / xs] [Settings] [Search] [Mobile] [Home]
Settings Mobile Home
/g/ - Technology

[Advertise on 4chan]

Thread archived.
You cannot reply anymore.

[Advertise on 4chan]

File: elasic.jpg (62 KB, 1024x512)
62 KB
your social security number is on elasticcloud somewhere. the password for the instance is in an unrestricted Slack channel. it got there when someone gmailed it to another company they hired because the original company no longer has anyone who understands it working for them. the person in charge of these resources left a few weeks ago on horrible terms and still has his credentials, which are more privileged than anybody else's. the gmail address they sent it to is automatically forwarded to monday.com. the information was initially collected through cloudflare ssl and sent through a few servers in different datacenters leased from companies unencrypted because three separate people were in charge of infrastructure and none of them realized that their docker containers weren't going to be on the same system. nobody understands how any of it is connected anymore. a security contractor hired a node.js development company to try to "fix" their problem, but at the moment the only "problem" they think they have is that "the kibana dashboard is too slow." this company is responsible for all of the data monitoring for a reasonably-sized US state's government and several massive corporations

my job horrifies me each and every day in new and exciting ways
social security numbers are public information. anybody that has registered to vote has made their social security number available to the general public. the original social security act did not intend to use the number for anything more than accounting. if you allow your ssn to be used in such a way that it must be kept private, you are the one at fault, not any company or software that might "leak" your number. Your SSN is less like a password and more like a phone number.
i guess "social security number" is a bad example, it just felt like the option that would be the punchiest to someone who isn't very security-conscious.

view it as a stand-in for whatever other secure bit of information you'd like; the issue here has nothing to do with the way the SSN was handled directly, and it's not even close to the most egregious thing I can fetch from the user information I've got right now. the issue is the sheer number of failure points in most modern software stacks, the overarching culture in tech driving companies to innovate and be "ahead of the curve" with technologies the managers don't understand and for which the administrators aren't given enough resources to properly implement, and the apparent lack of care given to ensuring that basic security practices are actually being employed properly.

anyway, post your SSN anon
come at me nigga
> Corpos doesn't care about your privacy
> Corpo engineers and pajeets can doxx anyone in their system
> Insecure passwords floating around the enterprise
More news at five. It's 2021 and neither ssh keys, nor windows passwords nor any other forms of sso have spread in the enterprise. Also corpos didn't have the memo that no one is supposed to directly access the live system's data, but you are meant to have pseudonymized excerpts that reproduce the bug or give you the ability to test the features.
okay, yeah, i've worked on databases that have a lot of shit in plaintext that they shouldn't, and for companies that let that data float around in places that nearly anyone can access. it's horrifying in a way, but it's just the way the world is right now. you can't save everyone else but what you can do is use this info to protect yourself and inform people close to you.
i've seen streetshitters throw plaintext passwords into mongodb. 2021 is fucking great
yeah fair. it's really frustrating to talk about this with non-techies and have them call me paranoid about my data despite the fact that its obvious to me there's a problem. i've tried and failed to educate the people around me, what am i even supposed to do about that? it must feel so nice to just not care

Delete Post: [File Only] Style:
[Disable Mobile View / Use Desktop Site]

[Enable Mobile View / Use Mobile Site]

All trademarks and copyrights on this page are owned by their respective parties. Images uploaded are the responsibility of the Poster. Comments are owned by the Poster.