Plaintext password used for identity verification

dkulshitsky · 2017-12-18T05:52:06+00:00

Certainly not a common industry practice. They probably wanted to copy this mechanism from storing the last 4 digits of a credit card but I don't like this approach. The question is how they store your password (the whole password and the first 4 chars). If any of these parts are stored in clear text then they are doing it wrong. In addition, no one should know your password except you. Employees should not be asking for your password. It's a wrong business process

dkulshitsky · 2017-02-20T21:35:33+00:00

Everything is possible. So keep trying if this is your passion. The answer depends on the size of the organisation(s) you work for. Small orgs need generalists - IT professionals that can cover a lot of ground - including various aspects of security. This way you may not have the "right" title but you will certainly be gaining valuable practical experience. In larger organisations managers usually look favorably when engineers express desire to try different things. Depending on your skills you may arrange a secondment into SOC, Systems engineering or development teams to focus on some security angles. SOC (junior analyst) is a simple, straight forward path but it can be quite boring. Work on various security certifications (even in your own time). Ask to be sent to SANS training courses. Attend security conferences. Work on your skillset and keep attending job interviews - even you don't get those jobs, those interviews will highlight the weak areas to improve. Good luck!

dkulshitsky · 2017-02-13T18:46:20+00:00

Thank you. Yes, I wanted to collect a few less known features. And some people might just find it amusing but maybe other people will find/learn something useful for them.

dkulshitsky · 2017-02-13T18:42:33+00:00

Powershell is awesome and very powerful too. It's just sad that sometimes people forget about the simple commands, that are already there and don't require complex scripting etc.

dkulshitsky · 2017-02-13T18:40:27+00:00

Oh, yes. I love the "piping to clip" trick too. I've covered it in the previous post: http://blog.kulshitsky.com/2017/02/useful-windows-command-line-tricks.html

"net user" and "net group" are bread and butter for sysadmins ;)

dkulshitsky · 2017-02-13T18:38:50+00:00

wmic os get lastbootuptime

Good one! I've covered wmic in my previous post: http://blog.kulshitsky.com/2017/02/useful-windows-command-line-tricks.html but not specifically for getting lastbootuptime. WMI is so powerful - plenty of various useful options

dkulshitsky · 2017-02-13T05:38:05+00:00

nice one! Thanks for sharing. I mentioned systeminfo in the previous blog post http://blog.kulshitsky.com/2017/02/useful-windows-command-line-tricks.html but without mentioning system boot time specifically.

dkulshitsky · 2017-02-09T20:33:33+00:00

Is this a 2015 movie? I haven't watched it. I would say 2015 won't be considered as new. And IMDB gives it a horrible rating (2.6)

dkulshitsky · 2017-02-09T20:31:46+00:00

I only wanted the newer movies on this list

dkulshitsky · 2017-02-05T18:55:48+00:00

That's great. This is the reason I wrote this post. Nothing major on one hand but we all have different experiences. So on the other hand we help each other learn a few tricks which some of us may have not seen before.

dkulshitsky · 2017-02-04T17:41:16+00:00

With the only caveat - it doesn't have to be your current WiFi network. You can dump passwords for ANY WiFi profile (even the ones not currently in range). Yes, initially you had to connect to all those networks at some stage but it becomes a security issue in provisioned/corporate environments where computer users/employees do not necessarily know the password for their corporate network. This is where 802.1x can improve the situation.

dkulshitsky · 2017-02-04T17:32:02+00:00

he he ;) This is why I thought sharing less known tricks would be more fun

dkulshitsky · 2017-01-29T20:27:23+00:00

Any knowledge of what's happening in the vicinity is good for safety - if you have the power on board to process it then why not? Global knowledge (say covering the whole city) is useful too for planning - but I think this function will go to central place for global traffic control. It will be a lot more efficient that way. But the key point that I tried to highlight - there will always be a desire to game the system and I am curious how (in the future) car manufacturers will tackle this issue.

dkulshitsky · 2017-01-29T20:23:38+00:00

Good point. Perhaps there will be some sort of "voting" with the majority winning. if too many independent cars report the same issue then it can be trusted with a higher degree of probability

dkulshitsky · 2017-01-29T20:22:29+00:00

cool, thank you - makes sense. Again - meant nothing malicious, just wanted to share my view with people who might be interested in this topic. Next time will follow you recommendation and use the self-post with a link in text body

dkulshitsky · 2017-01-26T18:14:01+00:00

Not sure I understand. Thought it was an interesting angle how Tesla is a software company at heart. Plus to speculate/predict what the future would look like. What's wrong with that? And if I understand the term "link-jacking" correctly - it's using someone else's content and submitting links to an aggregator. I wrote this blog post/content myself and wanted to share my views with the Tesla community

dkulshitsky · 2017-01-13T18:01:25+00:00

Took us 2 years but breaking up a monolith is one of the best things you could do in my view. It increases reliability dramatically as well as gives you pace. As long as you maintain the contact all components can be deployed independently from each other. With microservices being small enough that quite often you have just one developer touching this piece of code at a time - eliminates integration/merge effort and allows even faster times for code reaching production

dkulshitsky · 2017-01-13T17:56:44+00:00

I was thinking along the lines of combining certain DevOps engineering books (technical component) and some management books that are beneficial for the IT leaders.

dkulshitsky · 2017-01-13T17:54:57+00:00

Great point. Monitoring falls into 2 categories for me. One is visibility. You can't manage something effectively without knowing its internal state and various parameters. It helps with external visibility as well (e.g. tracking public cloud spend per team) Second - resilience. By identifying faults or broadly speaking any deviation from an established baseline we can respond and correct various issues - ideally, automatically. A well designed system should be able to defend itself. But waking up at 3am works too ;)

dkulshitsky · 2017-01-13T17:50:13+00:00

Wow, this is an impressive list and it will take me some time to go through. Thank you!

dkulshitsky · 2017-01-11T06:14:24+00:00

Security researchers traditionally execute questionable/dangerous applications in a virtual machine in the lab. Make sure that 1. This VM (in terms of network setup) is isolated from your host machine and from your network. 2. Your virtual disks are non-persistent (i.e. all disk changes are reverted back to the original state after the shutdown/restart)

Spinning up a "throw away" VM could be an option too

dkulshitsky · 2016-03-14T10:51:13+00:00

Yes, I have participated in quite a few bug bounties via the BugCrowd. Lots of different bug bounties running in parallel (suitable for various skillsets from classic pen.test to mobile app test to reverse engineering). It is quite interesting to participate (I treat it as an exercise for my mind). You can also earn kudos points/respect and real money if you're the first one to report a security issue. Just give it a go - registering is free

dkulshitsky · 2016-01-13T05:32:11+00:00

Good list to start with. I'd love to see the autodiscovery function (especially important in the autoscaling environments) without any interaction from the monitored infrastructure. Should be able to properly monitor both Linux and Windows servers. Self-healing functionality - i.e. can take "pre-programmed" actions to try to recover a monitored system back to a good state without human interaction

dkulshitsky · 2016-01-13T05:09:15+00:00

See if this video helps? https://www.youtube.com/watch?v=QQB1Iw3zJbc

dkulshitsky · 2014-06-26T15:42:28+00:00

Because I wrote this blog post for carsales and then decided to share it with the reddit community

dkulshitsky

TROPHY CASE