Tech workers - what did your IT Security team do that made your life hell and had no practical benefit? - eviltoast

One chestnut from my history in lottery game development:

While our security staff was incredibly tight and did a generally good job, oftentimes levels of paranoia were off the charts.

Once they went around hot gluing shut all of the “unnecessary” USB ports in our PCs under the premise of mitigating data theft via thumb drive, while ignoring that we were all Internet-connected and VPNs are a thing, also that every machine had a RW optical drive.

  • SpaceNoodle@lemmy.world
    link
    fedilink
    arrow-up
    45
    arrow-down
    1
    ·
    edit-2
    1 year ago

    I do this in protest of asinine password change rules.

    Nobody’s gonna see it since my monitor is at home, but it’s the principle of the thing.

    • residentmarchant@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      24
      ·
      1 year ago

      A truly dedicated enough attacker can and will look in your window! Or do fancier things like enable cameras on devices you put near your monitor

      Not saying it’s likely, but writing passwords down is super unsafe

      • Krudler@lemmy.worldOP
        link
        fedilink
        English
        arrow-up
        58
        arrow-down
        3
        ·
        1 year ago

        What you are describing is the equivalent of somebody breaking into your house so they can steal your house key.

        • curve_empty_buzz@discuss.tchncs.de
          link
          fedilink
          arrow-up
          20
          arrow-down
          5
          ·
          1 year ago

          No, they’re breaking into your house to steal your work key. The LastPass breach was accomplished by hitting an employee’s personal, out of date, Plex server and then using it to compromise their work from home computer. Targeting a highly privileged employees personal technology is absolutely something threat actors do.

          • Krudler@lemmy.worldOP
            link
            fedilink
            English
            arrow-up
            14
            ·
            1 year ago

            The point is if they’re going to get access to your PC it’s not going to be to turn on a webcam to see a sticky note on your monitor bezel. They’re gonna do other nefarious shit or keylog, etc.

            • residentmarchant@lemmy.world
              link
              fedilink
              English
              arrow-up
              6
              arrow-down
              3
              ·
              1 year ago

              Why keylog and pick up 10k random characters to sift through when the password they want is written down for them?

              • Rooty@lemmy.world
                link
                fedilink
                arrow-up
                5
                arrow-down
                1
                ·
                1 year ago

                Again, how is the attacker going to see a piece of paper that is stuck to the side of the screen? This rule makes sense in high traffic areas, but in a private persons home? The attacker would also need to be a burglar.

                • Krudler@lemmy.worldOP
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  1 year ago

                  It seems that some people are having trouble following the conversation and a basic stream of topical logic.

                  The initial premise was that somebody could see your passwords by pwning your machine… And using that to… Turn on webcam so they could steal your password so they could… pwn your machine?

                  Lol

                  • Hobo@lemmy.world
                    link
                    fedilink
                    arrow-up
                    1
                    arrow-down
                    3
                    ·
                    1 year ago

                    Nope. The premise is they pwn ANOTHER, less secure, personal device and use the camera from the DIFFERENT device to pwn your work computer. For example, by silently installing Pegasus on some cocky “security is dumb lol” employee’s 5 year out-of-date iphone via text message while they’re sleeping, and use the camera from that phone to recon the password.

                    They probably wouldn’t want the $3.50 that person has in their bank account, but ransoming corporate data pays bank, and wire transfering from a corporate account pays even better! If you’re in a highly privileged position, or have access to execute financial transactions at a larger company, pwning a personal device isn’t outside of the threat model.

                    Most likely that threat model doesn’t apply to you, but perhaps at least put it under the keyboard out of plain sight?