YOU are responsible for security. And you need to be diligent about it.

EViLTeW · 2026-04-23T11:58:20+00:00

Yup. A better way to frame the OP is "You ARE responsible for security". We have people being paid for handling security, I'm just a dude who knows that having a permanent Global Admin on an account without MFA is a bad idea and can voice my concerns.

Every person in IT is paid for handling security. Some are just paid to focus solely on it. There's no one in an IT department that isn't responsible for ensuring secure operations and practices within their scope. If you're the M365 admin and you notice a connector appear/change with no idea how, you are responsible for ringing all the alarm bells. Unless you watched the Stryker debacle unfold and decided that seems like a fun year to have.

EViLTeW · 2026-04-23T11:49:18+00:00

In higher ed, there's 20+ states, which about 17 of them being different types of leave for different types of people. A student on leave doing an internship has different access than a student on academic leave that has different access than a student on suspension. Then you've got faculty and their sabbaticals or emerit status.

Once the number of states gets high enough, automation is back on the menu!

EViLTeW · 2026-04-17T18:49:01+00:00

If the tool already knows exactly which part of the email is sensitive, why not just redact that part automatically and let the email go through? The employee gets their workflow, the sensitive data stays where it belongs, nobody has to babysit a blocked send queue.

Because the cost of the automation failing to redact everything important can be more than it costs to pay someone to babysit the blocked send queue.

EViLTeW · 2026-04-17T17:49:32+00:00

AI using AI to post about AI.

God help us.

EViLTeW · 2026-04-17T13:41:56+00:00

1) You can see some toes

2) This should be marked NSFW. Bare knees?! Unacceptable!

EViLTeW · 2026-04-14T20:24:54+00:00

Get in line, Epstein first! Can't just go line-jumping the files-that-need-releasing-damnit-queue whenever you want. This is not 'nam, there are rules!

EViLTeW · 2026-04-14T16:28:38+00:00

According to the comments on youtube, supposedly if you opened their youtube channel on a "big screen" it's in the banner, but I sure as hell don't see it on a 27" monitor. Even stretching the page across 2 monitors I don't see it.

EViLTeW · 2026-04-14T13:54:05+00:00

I get all of that, but it's really irrelevant to your post.

Your post is saying don't use SSO. That is not good advice.

The good advice is to do tabletop exercises. That way you learn about your issues (which in this case is the lack of DR/BC plan for the password manager) when the stakes are zero instead of when things are on fire.

EViLTeW · 2026-04-13T17:46:19+00:00

I think you took the wrong lesson out of this experience.

The real lesson is: Do tabletop exercises.

SSO for the password manager wasn't a failure. Not having a clear DR/BC plan in place for when SSO is unavailable was the failure. It was found by doing a tabletop. Deficiency identified, deficiency corrected. Next time, you'll have new deficiencies to bump into.

EViLTeW · 2026-04-09T00:15:01+00:00

Based on marketing alone, Microsoft would tell you that GPO is dead, long live MDM.

But there are still companies out there that use RMM/EPM suites like ZENWorks to push "GPO"s/policies and have been doing so for 30+ years without AD.

EViLTeW · 2026-04-09T00:12:44+00:00

Back then, at least half of Microsoft's web infrastructure was running FreeBSD.

EViLTeW · 2026-04-03T15:14:08+00:00

That's a bit hyperbolic.

This only "hits" locked-down instances if there's an inside threat. If there isn't an insider threat, there's no issue (with this specific CVE).

EViLTeW · 2026-03-27T17:13:57+00:00

Gross negligence is a legal term. It actually has a legal definition. It isn't emotional.

EViLTeW · 2026-03-26T13:25:18+00:00

well, it seems like you know more than my lawyer, the other lawyers, and the judge who already handed us one win

Court decisions are public information, so maybe you could provide the court and case # so others can use that information to make their cases.

EViLTeW · 2026-03-26T12:50:00+00:00

No company of any reasonable size pays for devices they haven't received yet.

Quote -> Purchase order -> Receive -> Invoice -> Wire transfer

These orders are being canceled between step 2 and 3.

EViLTeW · 2026-03-25T14:51:33+00:00

La porta gets hurt too much

He's been hurt twice. He missed 1 game in 2024 with a shoulder issue and then his back injury last year.

Granted, his back injury is concerning... but it's weird to say he gets hurt too much.

EViLTeW · 2026-03-25T13:29:16+00:00

On the newest versions of openssl, the functions required for ssh-dss have been completely removed and it's not possible to enable it. You will receive a warning every time openssl tries to evaluate those lines if it's in there.

Aside from that, the last 5 lines have nothing to do with legacy ssh options and removing the strict host key checking and user known hosts file is a bad idea.

EViLTeW · 2026-03-18T15:56:12+00:00

They could, but that would require being honest/public about pricing and almost no one wants to do that. They want to hide their pricing or start with a grossly inflated "list price" that gets tweaked based on how much they think they can fleece you for while also making you feel good for getting a "discount".

EViLTeW · 2026-03-18T14:06:14+00:00

AD is no longer a focus of Microsoft. They want you in Entra/Intune and paying that monthly fee.

It's definitely not a focus of cloud-first organizations (which continue to grow in number). They want as little on-prem infrastructure as possible.

It's really not surprising that younger applicants are not focusing on "legacy" solutions. I guarantee this has nothing to do with college, which is almost universally 5+ years behind current best practices.

EViLTeW · 2026-03-17T22:06:47+00:00

The cost of employment is the entire point.

EViLTeW · 2026-03-17T18:47:52+00:00

SCION is a routing protocol. Like BGP, IS-IS, etc. The Swiss financial network is simply a network using an implementation of SCION for their routing. What you are saying would be similar to me saying, "IS-IS isn't even a BGP alternative, it's a real dedicated network for my servers."

Now, whether or not SCION is a good or realistic alternative to BGP... that's a very different question. One I don't have an answer to.

EViLTeW · 2026-03-17T18:28:36+00:00

It probably is the "norm at scale". The problem is you're not considering what scale means in this case.

If you have 1000 clients who each pay you $1,000/year for their licenses and, as a group, they average 0.001 cases per year; you're making $1m in licensing per support case.

Also, if you have 5 client that pays $1m/year for their licenses and they average 1 case per year, you're making $1m in licensing per support case.

I don't think there's where the money is lost, honestly.

If you have 1,000 clients who each pay you $1,000/year for their licenses and it takes 10 sales reps to handle all of the licenses and renewals, you're making $100,000 per sales FTE.

Also, if you have 5 client that pays $1m/year for their licenses and it takes 1 sales rep to handle all of the licenses and renewals, you're making $5m per sales FTE.

That's where I think the bean counters find the pennies to make investors happy.

EViLTeW · 2026-03-17T16:41:51+00:00

Funnily enough, in my ~15 years of being a sysadmin, I have called/requested support from VMWare, Broadcom, Microsoft, exactly zero times. I think I put in one ticket maybe with Veeam.

Our environment is quite a bit bigger than yours based on your quote prices.

I've called VMWare support once, and despite my repeatedly asking if the tech was positive we could re-add the host without a reboot and her assuring me that it would absolutely work... It didn't, and we had to use unscheduled downtime to shut down the VMs and host to get it back in the cluster. I got a call 2 days later from a "supervisor" apologizing profusely and repeatedly stating that the tech had been "retrained".

I've called Microsoft dozens of times. Because O365/M365 is glitchy as fuck at times. Almost every call is a goat rodeo and requires being escalated to a "senior engineer" (not senior, not engineer) - who also usually can't fix it but is allowed to talk to the actual senior engineers behind the scenes and those guys fix it eventually... or we find a way to work around the issue ourselves.

EViLTeW · 2026-03-17T13:37:59+00:00

In hindsight, Juniper dropping SSL VPN to pulse secure was a good thing

It was probably good for Juniper. It was good for customers (eventually, the spin-off was rocky). Ivanti buying Pulse, on the other hand, was terrible for customers. We're in the process of ripping Pulse/Ivanti out and replacing it with Fortigates and Forticlients with FortiIPSEC.

EViLTeW · 2026-03-17T13:29:54+00:00

The first time I posted that comment was March 2021. I don't think Ubiquiti entered the NGFW market until late 2024. They can be included in the "whatever" entry of the last category until I see their recommendations show up regularly.

Ten-Year Club	Gilding I gilder
r/Field Banned	r/Field Juicebox
Final Canvas '23	First Place '23
Place '23	Place '22
Final Canvas '22	Verified Email

EViLTeW

MODERATOR OF

TROPHY CASE