this post was submitted on 15 Mar 2024
6 points (100.0% liked)

Selfhosted

40211 readers
1423 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

After self hosting several services for a few users, with SSO, backups, hardware issues etc, I really appreciate how good the IT was in my old company. Everything was connected, smooth, slick and you could tell it was secure. I had very few issues and when I did, they were quickly solved. Doing this all at scale for thousands of employees spread across the world, it is a wonderful sight to see.

Now at my current company, it's at the opposite end of the scale where I almost believe that I could do a better job by myself! They've trying to do everything you would expect but somehow doing it wrong. They are so heavy on security I have a Citrix environment that takes me 3 logins to get to, fails constantly and means I can't work without internet (like on a long train journey for work purposes recently), and on the other hand they've only just turned off admin rights for users so we could've installed anything we wanted!!! All our attachments (incoming and outgoing) are saved to a secure website (like OneDrive) and replaced with a link. It doesn't save the file names on the email so it's really tricky to find old emails if it's a document you're looking for. I could go on but just venting at this point as it's so frustrating!!!

Thank you to the good IT people out there. Your roles are so important but not appreciated enough!

top 21 comments
sorted by: hot top controversial new old
[–] Dirk@lemmy.ml 3 points 8 months ago (9 children)

They are so heavy on security I have a Citrix environment that takes me 3 logins

My daily routine:

  1. Take laptop out of locked shelf
  2. Start Laptop and enter boot password
  3. Enter Bitlocker password
  4. Enter username (not saved) and password
  5. Open Citrix website and login with different username and password
  6. Enter MFA token to access said website
  7. Start server connection
  8. Enter different username/password (not saved) to access server
  9. Enter different MFA token for the server login
  10. Start the business-specific application with 3rd set of not saved and different login data

They also have plans to make MFA mandatory for laptop login, too.

Passwords need to be at least 15 characters long for laptops and 30 for servers and 10 for the business-specific application. All need to have uppercase, lowercase, numbers, and special characters and need to be changed every 60 days (for the server login) and cannot be the last 30 passwords.

[–] viking@infosec.pub 4 points 8 months ago (2 children)

And then they wonder that people resort to easily predictable patterns such as !1Qaz@2Wsx#3Edc and simply shift it one position to the right with every forced change and repeat at the end of the keyboard.

[–] Dirk@lemmy.ml 1 points 8 months ago (1 children)

Some users have a barcode scanner connected to the system for doing the business stuff. The barcode scanner registers as HID keyboad ...

Yes, they did exactly what you think.

[–] kiwifoxtrot@lemmy.world 0 points 8 months ago (1 children)

Smart. I've seen it on manufacturing lines for operators logging into SAP. They put the barcode on the back of their badge.

[–] Dirk@lemmy.ml 1 points 8 months ago (1 children)

That make the badges NFC tags but without actual NFC ...

At least they had the code not in direct sight on their desk.

[–] Appoxo@lemmy.dbzer0.com 2 points 8 months ago

This is advanced post-it under keyboard level

[–] kambusha@lemmy.world 1 points 8 months ago

Wint3r!2024

[–] databender@lemmy.world 4 points 8 months ago (1 children)

This is very close to my workplace but we have about 17 domains to work across, with a separate account for each. It's frustrating sometimes, but in the end I get paid the same either way.

[–] Dirk@lemmy.ml 3 points 8 months ago

Ladies and gentlemen, we have a winner!

[–] blackstampede@sh.itjust.works 3 points 8 months ago

Fucking hell.

[–] ninjan@lemmy.mildgrim.com 2 points 8 months ago

Tell them to move to yubikey or similar hardware key which is far more secure than any password policy will ever be and vastly more user friendly. Only downside is the intense shame if you manage to lose it.

The key should stick with the user thus not be stored with the computer when not in use. The key isn't harmless of course but it takes a very deliberate targeting and advance knowledge about what it goes to and how it can be used. It's also easy to remote revoke. If you're extra special paranoid you could of course store the key locked at a separate site if you want nuclear codes levels of security.

[–] StopSpazzing@lemmy.world 2 points 8 months ago

Yubi keys... for all logins, would solve this mess, geez.

[–] skilltheamps@feddit.de 2 points 8 months ago (1 children)

And they believe all employees actually remember so many wildly different and long passwords, and change them regularly to wildly different ones? All this leads to is a single password that barely makes it over the minimum requirements, and a suffix for the stage (like 1 for boot, 2 for bitlocker etc), and then another suffix for the month they changed it. All of that then on sticky notes on the screen.

[–] Dirk@lemmy.ml 2 points 8 months ago

I've seen plenty of solutions. Sticky notes, a simple text file. External tools like barcode scanners. Using all letters and just 1! at the end (not that this is less secure on technical level than a completely random string, but it's easier to bruteforce - theoretically), etc. Some people use KeePass (with a stupid 5 letter password).

[–] PlutoniumAcid@lemmy.world 2 points 8 months ago

This insane torture is why there are post-it notes under the keyboards.

[–] ThePowerOfGeek@lemmy.world 1 points 8 months ago (1 children)

This sounds like my old place, but much worse.

We used to have laptops we had to lock in a cabinet (yeah, one of those cabinets with a really puny lock that's easy to pick). And we had to log into n old mainframe system that had numerous environment instances which each required a unique password that had to be changed every 90 days.

We (the software devs) basically rebelled on the laptop situation and insisted they find a better solution. Thankfully they changed policy and of allowed the laptops to be locked into our docking stations, which in turn were locked to our desks.

As for the mainframe system credential management, I tried using a standard third party password manager, but a) it wasn't a good fit for the credentials, and b) the sys admins or security team forcibly uninstalled it because it wasn't sanctioned software (even though it was a well-respected and actively maintained one). And our security group refused to go out and find one.

So being a dev, I wrote my own desktop password manager for the mainframe credentials. It was decently secure, but nowhere near as secure as a retail password manager. But it fit the quirks of the mainframe credentials requirements. And after my colleagues and manager did a code review of it, it was considered internal software, and thus fit for use.

As I was leaving they were in the process of removing all our local admin rights (without a clear path on how to accommodate for us developers debugging code - fun times ahead!).

But all of those annoyances pale in comparison to the shit you are having to deal with! Holy hell, that sounds like pure misery! I'm sorry.

[–] Dirk@lemmy.ml 1 points 8 months ago

Temporary workaround applications/scripts become de-facto standards sounds familiar. They disabled loading script files in Powershell but you can still copy&paste the file's content ...

People have no idea how absurd IT in corporations is.

[–] BearOfaTime@lemm.ee 1 points 8 months ago* (last edited 8 months ago)

Hahah, omg don't they realize people are writing that shit down?

I'm big on proper security for business, but holy cow that's nuts.

Guess I've been fortunate to work at some huge, well-known orgs that also really understood how to do these things.

One, in the 90's,had already developed an early form of SSO for the 20 backend systems that all had unique username and password requirements. Their call center agents really appreciated it.

[–] RogueBanana@lemmy.zip 1 points 8 months ago

My experience with my company is exact opposite. Apparently Bitwarden and Vivaldi are not allowed because they have a lot of vulnerabilities so people should continue using edge/chrome and a plain text for storing all their passwords that they often show it on screen share. Had an issue with 2FA cause those assholes decided it's fun to force the Microsoft propriety authenticator for everyone so I can't use aegis anymore. That issue took a whole fucking month to get resolved cause none of them could comprehend their almighty Microsoft app didn't work on my grapheneos. On a unrelated note, anyone got any openings at your company?

[–] i_am_not_a_robot@discuss.tchncs.de 1 points 8 months ago (1 children)

My favorite is when IT deploys software that replaces all the links in your e-mails with https://example.com/phishing/YiCdMdsY so you can't tell whether the e-mail is phishing or not, frequently sends you very obvious fake phishing e-mails that interrupt your work by going straight to your priority inbox, and punishes anyone caught clicking on phishing e-mails. Then HR sends out e-mails that have all the indicators of low effort phishing and you're supposed to click on those.

[–] Konraddo@lemmy.world 1 points 8 months ago

Omg, my previous company did the same. But you missed a part. If you accidentally left out a real email, thinking it's a scam, then the client will file a complaint.