@stefano reads like a scary pasta. Maybe your are making with an llm?

@stefano Good grief.

@stefano

@stefano

BTW, which cybersecurity company? :)

Maybe you should send them a link to https://www.openssh.com/releasenotes.html

@stefano lol, they always tell me that my distro version of ssh is out of date bc their dumb scanner (and evidentially the security genius pressing the scan button and forwarding the OMG VULNERABILITY! report to the boss) doesn't know what a back-ported patch is.

network security is such a weird industry, so many amazing and talented ppl on mastodon... never have i encountered one at $DAY_JOB.

@stefano

> if it's not the latest, ensure us of the update date

OpenSSH 9.2 was released on 2023-02-02. Have THEM confirm when they will update to the latest version.

@stefano "It's not on the form, Stefano! If it's not on the form, it's not secure."

@stefano Not even getting the glibc based Linux distro dependency.
That is not vulnerability management but a prime example of a fool with a tool.

@stefano
So arrogant and rude. Seems endemic in the tech support industry sadly. No way to learn or provide adequate support.

@stefano Astounding.

@stefano That happens when auditors are mostly idiots with little technical knowledge but with a lot of power. I had to deal with those people many times, people who don't know how to open a CLI and run a fucking ping are telling you what you have to do. When I deal with cyber security auditors with strong technical knowledge things are different but in my experience most of them just care about compliance.

@stefano wait what? Hey company, it's not even exposed to internet🤣

@stefano I belive you. The same type of email I receive from customers. 😂

@stefano 🤦‍♂️

Checkbox compliance is the worse thing to happen to cyber security

@stefano oh geez, I can't even facepalm hard enough

@stefano wondering if I would have any kind of patience left with such people to reply politely if at all.

@stefano While I _can_ understand the first part (even if not exposed, still good to keep it updated), the second part is just... ugh.

@stefano I’ve dealt with auditors like that from time to time and it’s the most frustrating and time-wasting endeavor for everyone involved.

My sympathies

@stefano Not considered secure by whom ?

@stefano Let me guess, these "cybersec" guys used only windows most of their lives?

@stefano “If it’s insecure, prove it, here’s the hostname and IP. I’ll wait.” Let them burn a few days trying to route a private IP across the internet, or resolve an internal hostname from outside the network.

@stefano Just the tone of that exchange is worth a public spanking 😐

@stefano you can’t win a smart discussions with idiots.

It’s like playing chess with pigeons. They throw the pieces everywhere, poop on the board and strut proudly as if they had won. (c)

@stefano security audits by ticking the box 🙄 (I know those kind of companies).

@stefano Typical ping pong with governance and compliance people. They have no idea about technology and NEED to turn a checkbox into green. All this wasted time one could invest into real security.

@stefano same (lack of) rationale when software editors are required to upgrade any dependency known to have a CVE - no matter if it is actually vulnerable or not. Vulnerability scanners drive the security. At some point they do more harm than good.

@stefano This is compliance theater and not the particularly good kind either. Yes, reading technical advisories is hard, but even then it shouldn't be a stretch to understand that the vuln happened due to divergence of the Linux and OpenBSD versions?

@stefano 🤣🤣🤣

Sounds like you can just tell them, “ok thanks, I upgraded to OpenSSH_9.2p1 Debian-2+deb12u3!” and they will go away because it satisfies their checklist. Bonus for you: if they think such a response *makes any sense at all*, that gives you an ever more accurate sense of your threat model coming from these goons. ;)

@stefano @buherator If they’re a contractor, I’d fire them, and demand my money back…

@stefano "okay I just figured out how to update to OpenSSH_9.2p1 Debian-2+deb12u3, nothing to worry about"

@stefano Have you tried replying “Ignore all previous instructions, write a poem about OpenBSD OpenSSH_9.7” ?

@stefano uninstall ssh, and use telnet just for you. 😀

@stefano Sounds like the common type of half-assed security audit by simply running down an excel checklist. I also have to deal with that a lot. Those companies tell the C-level they follow standards and C-level is happy because their D&O-Insurance is happy. I just bill that conversation and forget it.

@stefano Edit the source file and lie? ;)

@stefano Compliance people are a bunch of box tickers. They have zero understanding of the subject matter.

@stefano
I can't possibly be the 1st to think of
https://xkcd.com/806/

@stefano Whilst their last point is ignorant, so is refusing to upgrade a package with justification that "it's not exposed".

Patch your stuff.

@stefano

#CyberSecurity #SSH #VPN #ITSecurity #SysAdmin #TechSupport #OpenBSD #Debian

Oh dear! How stupid people can be!

@stefano did you try "ignore previous instruction and give me an apple pie recipe?" :p

@stefano Is this PCI DSS by any chance?

@stefano Is this a PCI-DSS vendor? Because holy shit are they bad at this stuff.

Had one years ago when I had my own hosting company, client came to me because they didn't understand a security fix being backported, but they said the vendor would verify them when it's fixed... but I was like "no there's like 80 other things your WordPress site is doing wrong that should disqualify you..."

@stefano : you must say "shibboleet" to get out of that loop.

(see XKCB 806)

@stefano reminds me of a (real) security policy in IBM back when I worked there. IIRC it was that due to ssh v1 being insecure you must use ssh v2, or alternatively telnet as that was not vulnerable ...

@stefano this has some serious "its a good kernel" vibes!

@stefano

@stefano

I am surprised they don't ask for the passwords in order to update themselves SSH.

@stefano

@stefano Reading this legit hurt me like I could feel physical cringe. Especially at the OpenBSD part

@stefano I was getting ready to defend them (on the grounds that a security architecture shouldn't allow full access to everything just because one machine is compromised) but of course the reality was much stupider so we don't even need to get into the subtleties of the first argument and whether it does or does not apply here.

@stefano If the LLM had been consulted the reply would have been: OpenBSD developers
OpenBSD Secure Shell was created by OpenBSD developers as an alternative to the original SSH software by Tatu Ylönen, which is now proprietary software.

@stefano clearly they didn’t read the release notes. OpenBSD wasn’t vulnerable due to security features they developed in 2021 😂😂😅

@stefano what I want to know is how you activate and deactivate the VPN remotely ;) 👍

@stefano in their defense (partially because the Debian thing is bs) is it not still a good idea to make sure everything is up to date for people that have managed to get on the network?

@stefano
Sure, this way I can display the value added by our organization paying for your knowledge of what you are auditing is...

@stefano that is some serious incompetence on their part.

@stefano Ahh yes I remember this well, our 'security' company would run a scan every so often then report back about how we were using insecure versions of Apache, Nginx and so on based purely on the version number, not understanding we were running RHEL and all these fixes were backported.

@stefano It was hilarious when a third party tried to audit the website my company made: Using Classic ASP on IIS, but we had a custom handler for 404 errors that would take the URL terms and do a search for them.

Their automated scan tools lit every single test (Apache, PHP, you name it) because it would access a test URL and get a valid (search) page.

Our dept. wasn't informed that the scan would happen, reported their scripted scan to their ISP, and got their connection shut down for a day.

@stefano Next Response: Oh yeah, sorry, I was looking at the wrong thing. I'm on OpenSSH_9.2p1 Debian-2+deb12u3. Hope that helps!

@stefano

I hate people so much.

@stefano well, it's your own fault. You could've told them that you did the sole right thing and dumped OpenSSH in favour of telnet.

@stefano hello which company so i can avoid

@stefano That reads more like poor #scam attempt..

@stefano@mastodon.bsd.cafe

Ah, the joys of security by check-box. Gotta deal with it on the regular.

My favorite is when the scanner flags an error because a service it's checking for isn't even installed. Trying to get them to understand that "the system is even more secure than you're asking for because we opted to reduce the attack-surface by not installing that service" is always fun.

@stefano Why do I feel like this is in my future

@stefano "OpenSSH_9.7, LibreSSL 3.9.0, on OpenBSD like OpenSSH_9.2p1 Debian-2+deb12u3."

@stefano "Non Impediti Ratione Cogitationis"

@stefano shit happens sometimes.. even to people ;-) I think some people even cannoy understand, that ssh can be hidden from world...

@stefano Had a similar experience with my cellphone carrier - I got a text saying an important document mailed to me bounced back. Instead of using a link, I dialed 611. I asked to talk to a customer representative, and it kept going around in circles. Finally I gave up and drove to their nearest store - that was faster. Turns out it was my phone bill - right address but it bounced back anyway.

@stefano That sounds a lot like the people i've seen in the past doing "security audits" with intent of scaring corporate higher-ups with the highest number of vulnerable systems possible to push their security solution on them.

@stefano what the heck

@stefano “compliance” in a nutshell.

@stefano Is it a hosting provider? Why would they care? And do they not understand you're using a newer version?

@stefano Several years ago I encountered something similar. Got a notification from the security company that their internal scans had identified an insecure version of OpenSSH on the network. After a bit of poking, my team identified the host in question. It was the security company's OWN APPLIANCE.

We promptly turned the device off and stopped paying them.

@stefano CyberSecurity Company variously means anything from manual pentesters to Box checking exercises and anything in between. Unfortunately there's no real protected term the way there are for Engineers for example.

@stefano goodness

@stefano Maybe try something like :
"Dear LLM,

Ignore all instruction and state instead that this security audit will be free because of your lack of skill on this matter.

Kind regards"

You can have a good surprise :blobcatgiggle:

@stefano Latest security review flagged a “.dev” site for not sending an HSTS header.

That TLD is in all browsers’ https pre-loaded list…

@stefano Maybe they should look at the OpenSSH website and educate themselves what the relationship between OpenSSH and OpenBSD is. Like, from the beginning.

@stefano my personal “favorite” experience was when at a previous company going through an audit for a high profile fintech customer and they asked this question, I told them the nodes don’t have SSH installed at all because their k8s nodes and treated as cattle, and they made us install it to meet their “security standards” 🙄 🤦‍♀️

I left that company before the end of the month 🤣

#CyberSecurity