Skip Navigation

iiiiiiitttttttttttt @programming.dev

irelephant [he/him] @programming.dev

23h ago

Simple security test

24 comments

Tangential rant: how did we get to a world in which shit like Plaid and Teller exist?
The first rule of security is don't tell people your password.
The second rule of security club is DON'T FUCKING TELL PEOPLE YOUR PASSWORD.
"We need to link your bank account"
Ok
"Put your password to your bank account in this little JavaScript widget"
Bro??? What? To my fucking bank account? Arguably the most important password I have?
"We promise we won't log it"
Oh, well ok then, as long as you pinky promise, I guess
How is this considered NORMAL?!
And now there's some sites that won't even let you do the "old way" of making tiny deposits! They demand that you use Plaid!
AAAAHHH CRAZY PILLS
- Again, SEPA zones winning with PSD2 banking connections, which natively connect to your bank, and hands over an access token.
  It's effectively oauth with a bank API and some strict requirements such as mTLS on the api calls.

Yardi listed as a system - Must be an asset management company if I remember the awful softwares I managed back when I did help desk.

Edward Snowden did something very similar to this while working as a sysadmin in order to obtain access to many systems he otherwise would not have access to. It was internally dubbed the "password roundup."

... This is a 'which coworkers are idiots?' test... right?
... Right?
- Yes, unfortunately it's the person who put up the sign who failed the test.
  
  why?

And then there's me, when my company signed up all up for cyber security training to identify scams, I assumed it was a scam and deleted it...
Top tip guys, when you sign your staff up for this shit, tell them first.
- Half the people here immediately deleted some survey about the work climate or something done by an external provider and didn't even question it because it was so obviously a phishing mail.
  I just ignored it thinking the same. Until my scrum master told me that we should please all answer that survey.
  
  They think the security companies are their ally?
  We were born in the scams. Moulded by them. I didn't see a genuine banking email until I was already a man.
- My company stresses to always be vigilant for phishing scams but their test emails are the only ones that I ever receive. That’s a good thing though because they always get plenty of people.
  
  This one time I got a "test email" but it was sent from a legitimate domain, used our in-house style correctly, didn't contain any spelling errors, contained personal information about me that a simple leaked email couldn't reveal, and linked to a document on an internal server. When I opened the link, it said "this was a mock phishing email, your respone has been registered". Literally the only time I got got, and their supposed "tell" was that the tone was more urgent than you'd expect. I just thought it was written by a stressed intern.

I wanna change my account password from 12345 to 54321, so it's different from my boss' luggage
- I wish I made enough to afford luggage with five digit combinations...

I'd like to change my password from hunter to hunter2
- From 6 to 7 asterisks? That doesn't make sense.
  
  Exactly! Just 7 *'s.
  Who's even going to guess that? No one. Even if someone hacks it? Still looks protected!
  Literally unbreakable!
  
  No, he clearly wants to change it from ****** to *******.
  For the record, a far more secure password would be ********, because it has a * in it which some websites require
  
  Hunted then?

I feel like this would be in a video game where the devs had to put a puzzle but didn't want to

F

ect.

Facebook is Bad, mmmkay

24 comments