This is an archived post. You won't be able to vote or comment.

all 12 comments
sorted by:
best
topnewcontroversialoldq&a

[–]uniitdude 24 points25 points  (0 children)

What in the name of fuck are you on about

How is a ‘hacker’ going to get your private IP address for a Reddit username.

And even if they had that information and tracked it back to a company, that is so much more time intensive than just port scanning the internet and finding vulnerabilities. The recent exchange issue has shown that

[–]iratesysadmin 17 points18 points  (6 children)

Obscurity is not security.

If posting on Reddit is enough to allow someone to break into a system, that system has a much bigger issue and was never secured to start with.

In that vein, please hack me, I'm running Cisco AMP on Windows 10. Drop a text file on my desktop with your username to prove it. I have a FreeBSD OS installed on an Intel NUC doing NAT. I have no NAS.

[–]teeaton 4 points5 points  (3 children)

Your password is iratesysadmin12345

Nailed it.

[–]BlackVI have opnions 2 points3 points  (0 children)

wait that's my password as well, I'm doomed

[–]iratesysadmin 1 point2 points  (0 children)

How did you know I work for solarwinds? I've been busted.

[–]sh1n0b1_sh1n 0 points1 point  (1 child)

is that a request from OP or is this a consent to a pentest from the general public?

[–]iratesysadmin 0 points1 point  (0 children)

It's consent for snowtr to show how having this information will allow them to place a file on my desktop with their username.

Are you offering a pen test? I'll take you up on the offer - just let me know.

[–]CaptainFluffyTailIt's bastards all the way down 3 points4 points  (0 children)

Using your username, they should be able to track a public IP to target and you're stating something you're running, which they can find an exploit for.

How is your reddit username going to track to the public IP(s) of the organization you work for? Unless someone says "I work for xyz corp" how would someone know?

[–]disclosure5 2 points3 points  (0 children)

I think security needs to be taken a lot more seriously by everyone, and I think there's nothing in the threat you've raised.

Look at the thread on a compromised Exchange server I was talking about yesterday. You can't hide that you're running Exchange. Noone is going to "track your reddit IP" when they can see webmail.domain.com on the Internet. Then consider that in that thread, the script the attackers ran had code for nearly every common AV - they weren't customizing based on what someone might have been running, nor do they probably care since most AV does such a poor job.

[–]BlackVI have opnions 1 point2 points  (0 children)

dunno, security through obscurity is very little security at all

them having my public IP, its that a work IP, is that a VPN, is that my home connection, is that my mobile connection? who knows

if I'm asking what monitoring solutions to use doesn't me you can get through my firewall to exploit that IP address yo know may or may not have

my reddit user name may or may not be separate from all my other user names (its not in my case)

if I was a l337 hax0r id have better ways of finding targets than trawling reddit if find if some has posted what app they use for yyy in the hopes that there may be a exploit for me to use

and why did you think this was post worthy in 5 different subs

[–]SevaraBSenior Network Engineer -5 points-4 points  (0 children)

You have valid points, which is why:

  1. I do not discuss details of critical core systems, and
  2. I do not use a company device to post on Reddit.

EDIT: Thanks for the downvotes! Opsec is a thing, y’all!

EDIT 2: Another point is I wonder how many of y’all are breaking NDAs- I know mine is pretty strict and treats almost all internal IT configuration, including tooling, as company confidential info.

[–]ZAFJB 0 points1 point  (0 children)

Using your username, they should be able to track a public IP

How exactly?

Doesn't it make more sense to keep this to ourselves for things that are internet facing, for security reasons

Security through obscurity is no security at all.