Post Ab6WPOKGNmASoGqRd2 by thepanz@phpc.social
(DIR) More posts by thepanz@phpc.social
(DIR) Post #Ab6611NtQfHltrGHIm by stefano@mastodon.bsd.cafe
2023-10-24T14:06:42Z
0 likes, 0 repeats
Me: "Hey guys, there's that old Ubuntu 18.04 which is now insecure, with php 7.2. Can we update?"Them: "The client did a pentest and didn't find any specific issues."Me: "I know, these pentests can often be misleading. But the issue still exists. Shall we proceed?"Them: "The CMS isn't compatible and needs updating. It's a lot of work and the client doesn't have a budget for that."Me: "Wait, they pay for third-party pentests but won't update the platform?"Them: "Yes, we need to find a solution to keep running php 7.2."Me: "I'm not a fan, but we could slap it into a FreeBSD jail - at least there's the protection from the jail and an updated OS behind it, and we can manually compile php 7.2 - setting up a parallel jail with modern tools and ready for the upgrade you'll do. Because you will do it, RIGHT?"Them: "Nah, there are still Docker images with php 7.2, let's use those."Me: "Yes, but there's a lot of outdated stuff in there: libraries, dependencies, etc."Them: "But it's easier and it solves the problem."And then we wonder why there's so much insecurity online - and a growing tech debt, relentlessly...#Cybersecurity #TechDebt #UpdateYourSystems #PentestMistakes #ObsoleteTech #docker #FreeBSD #Ubuntu #Linux #Security #CyberSecurityAwareness
(DIR) Post #Ab66M5uJo9E20cTcA4 by sullybiker@sully.site
2023-10-24T14:09:57Z
0 likes, 0 repeats
@stefano The most stable system is the one that's never updated!
(DIR) Post #Ab66RGiN3POuyWM6bY by stefano@mastodon.bsd.cafe
2023-10-24T14:11:26Z
0 likes, 0 repeats
@sullybiker It can be 😆 : https://it-notes.dragas.net/2023/08/27/that-old-netbsd-server-running-since-2010/
(DIR) Post #Ab66ZDwxDWzwiVyDHU by gnemmi@mastodon.sdf.org
2023-10-24T14:11:40Z
0 likes, 0 repeats
@stefano the nice thing about those scenarios is that when they actually have a security breach they can't handle you get to:1) tell them: "Yes, I know, it was just a matter of time as I told you"2) Charge them two or three (as you see it fits) times as much 😊 🎉 🍻 3) Vacations expenditures are covered!!
(DIR) Post #Ab66cmAMSURVhnw1iq by sullybiker@sully.site
2023-10-24T14:12:59Z
0 likes, 0 repeats
@stefano In my old job someone set up a workload involving a retired Mac-mini that processed scanned images and sent them to various file systems. It did this for years. No documentation. Then after a a power failure one day, you know what happened.
(DIR) Post #Ab66dX8tnkCROsc1T6 by ParadeGrotesque@mastodon.sdf.org
2023-10-24T14:13:05Z
0 likes, 1 repeats
@stefano To be honest, you lost me at the first occurrence of PHP...Whenever I see those 3 letters together, I know a security nightmare follows. 😊
(DIR) Post #Ab66fZj5AO0fzaVhMO by stefano@mastodon.bsd.cafe
2023-10-24T14:14:02Z
0 likes, 0 repeats
@gnemmi The problem is:1. "Sure, but we didn't have any other choice"2. I have a fixed agreement with them 😞 3. Same as 2.
(DIR) Post #Ab66qCGqiHzaQrMxLU by gnemmi@mastodon.sdf.org
2023-10-24T14:14:52Z
0 likes, 0 repeats
@stefano oh god!🤦♂️ 🤦 🤦♂️
(DIR) Post #Ab66qbTT0VwKbESsz2 by sullybiker@sully.site
2023-10-24T14:15:30Z
0 likes, 0 repeats
@stefano I also had a researcher that had some 'self-managed' boxes that I updated a critical vulnerability on (they all have to run the same EDR to be allowed on network) and I got this furious email that I had "..broken everything"
(DIR) Post #Ab676zQlhnTFX514pk by fluxwatcher@mastodon.social
2023-10-24T14:18:27Z
0 likes, 1 repeats
@stefano Sounds terribly familiar, like many clients who fall into the hands of "WordPress selling companies" when they could have insisted on having a static site with almost no dependencies and maintenance costs.
(DIR) Post #Ab67HuTgSd43MAaSrw by fedops@fosstodon.org
2023-10-24T14:20:25Z
0 likes, 1 repeats
@stefano there may not be a budget for fixing old stuff, but there's always a budget for passing tick-the-box compliance audits.
(DIR) Post #Ab68OPJaozUAgjWsGu by sullybiker@sully.site
2023-10-24T14:32:48Z
0 likes, 0 repeats
@stefano "So secure nobody can use it"
(DIR) Post #Ab68mJk5BzFmM3JxJY by ColonelKramer@digitalcourage.social
2023-10-24T14:37:06Z
0 likes, 0 repeats
@stefano @gnemmi No exit point in the agreement?
(DIR) Post #Ab6Bw8vYYZOvZT43I8 by stefano@mastodon.bsd.cafe
2023-10-24T15:13:03Z
0 likes, 0 repeats
@ColonelKramer @gnemmi They're generally good, and I manage something like 150 servers with them. I'm just trying to avoid future troubles, both for them and for me.
(DIR) Post #Ab6C0NQ6cBVtg5N9Hc by stefano@mastodon.bsd.cafe
2023-10-24T15:13:50Z
0 likes, 0 repeats
@fedops EXACTLY!
(DIR) Post #Ab6C9YCHunYBi0HeF6 by stefano@mastodon.bsd.cafe
2023-10-24T15:15:29Z
0 likes, 0 repeats
@ParadeGrotesque I'll make it even worse: php *7.2*
(DIR) Post #Ab6CQfpInqBaIFhHrE by stefano@mastodon.bsd.cafe
2023-10-24T15:18:29Z
0 likes, 0 repeats
@freezr @gnemmi Unfortunately, it doesn't work for all the situations. But the point remains I'm quite committed in creating a safer, more secure, more reliable Internet. Continuing to keep corpses alive is totally against my personal and professional ethics.
(DIR) Post #Ab6GsJz80CcmThjRrM by ParadeGrotesque@mastodon.sdf.org
2023-10-24T16:07:51Z
0 likes, 1 repeats
@stefano The version number behind P-H-P does not really matter. It will be trouble anyway. 😂
(DIR) Post #Ab6H2nLZgpCiRGE2S0 by soaproot@sfba.social
2023-10-24T16:08:33Z
0 likes, 1 repeats
@fedops @stefano Someone, in some twisted way, thinks this is making them more secure (or rather there is a chain of events from one person/audit to the next to the next which leads back to "more secure" and everyone is only looking at their local part of it, and the question of whether this situation, overall, makes them more secure, isn't even being asked because they aren't set up to ask that question).
(DIR) Post #Ab6KbfODZC3Nl0mVm4 by stefano@mastodon.bsd.cafe
2023-10-24T16:50:06Z
0 likes, 0 repeats
@freezr @gnemmi Not much different from the experience I had with a large local medical center with 8 branches. The servers are running on Windows 2003 Server, with the management software in Visual Basic and not upgradable to later versions (I don't know why, as when I saw Windows 2003 Server and all the sensitive data stored in plaintext inside it, I declined the job and didn't investigate further).
(DIR) Post #Ab6KeXSzTrdU3MNpvU by stefano@mastodon.bsd.cafe
2023-10-24T16:50:38Z
0 likes, 0 repeats
@freezr @gnemmi Not much different from the experience I had with a large local medical center with 8 branches. The servers are running on Windows 2003 Server, with the management software in Visual Basic and not upgradable to later versions (I don't know why, but when I saw Windows 2003 Server and all the sensitive data stored in plaintext inside it, I declined the job and didn't investigate further).
(DIR) Post #Ab6NrAjnb5RFBhxeNM by morgant@mastodon.social
2023-10-24T17:26:03Z
0 likes, 0 repeats
@stefano 👈 👈 This! This! THIS! THHHHIIIIIIISSSSSSS!
(DIR) Post #Ab6TNTveHQFhkHjHpw by thepanz@phpc.social
2023-10-24T18:27:42Z
0 likes, 1 repeats
@ParadeGrotesque @stefano well, that's not *always* the case!with PHP, as with any other language, it depends on how you implement your code with it ;-)No, I do not want to start a language flame here :-D
(DIR) Post #Ab6U9IqAoEcjFuyHRo by stefano@mastodon.bsd.cafe
2023-10-24T18:37:06Z
0 likes, 0 repeats
@thepanz @ParadeGrotesque I think one of the problems with PHP has also been the fact that it introduced many people to programming (in PHP, specifically), and much of the code generated over the years is of poor quality
(DIR) Post #Ab6VBus8TmULk4hPg8 by ParadeGrotesque@mastodon.sdf.org
2023-10-24T18:47:59Z
0 likes, 0 repeats
@thepanzAre you sure you don't want to stay a language war?Because THAT is how you start a language war! 😂 @stefano
(DIR) Post #Ab6WPOKGNmASoGqRd2 by thepanz@phpc.social
2023-10-24T19:01:53Z
0 likes, 0 repeats
@stefano @ParadeGrotesque true that, and the new "hype" frameworks (yes talking about the ones based on JS) for web development are not really improving the situation. I am not just addressing the lack of design patterns on some of those framework, but also on the jungle (and in-security) of their dependencies.Any language is as good as the toolings around it, but you will always be able to shoot yourself on the foot.. or you opt for Rust, but in this case the bar is already quite high
(DIR) Post #Ab6WXHU5hdaHuMChKy by thepanz@phpc.social
2023-10-24T19:03:12Z
0 likes, 0 repeats
@ParadeGrotesque @stefano eheh, oooos! OK, will stop here then! :)