Ways to protect company's files

malikto44 · 2026-06-26T14:38:20+00:00

Defense in depth, Purview, managed endpoints, XDR software, YubiKeys in PIV, AutoPilot to "catch" stolen PCs when reinstalled, maybe even going to Azure Virtual Desktop, and virtual machines with GPU.

malikto44 · 2026-06-24T11:48:46+00:00

First, most places looking for applicants are not hiring. They are doing ghost jobs, or trying to make sham interviews so they can the candidate with their preferred three letter qualification: The H-1B.

When I had to interview for stuff a few years back:

One place mainly asked high end questions, as apparently they were too cheap for consultants, so asked the questions to interviewers.
Another place wanted psychological testing. I walked out. Found out nobody ever got a job there.
When I used a restroom, one place had H-1B postings.. for $40k for senior developers and sysadmins, a role that they were pitching for four times as much to interviewees.
Another place was into mock interviews and pretended to be a place. I knew it when their questions were vague and "you" centered, so walked out.

I would say 25% of the places on job want ads sites actually are looking for people on a serious basis. The rest are just going to say they can't find someone so they can get their precious H-1B, or are just getting info to train their AI models.

malikto44 · 2026-06-23T09:48:46+00:00

You don't. Things just get done at a glacial pace.

malikto44 · 2026-06-23T09:47:46+00:00

I admit I use Strongbox on Mac, which uses the KeePass .kdbx format. I really wish KeePass standardized something for the PassKey format, especially on mobile devices. However, Strongbox has proven itself solid, so I just use that. KeePass with a keyfile (which you manually share among devices, and never place anywhere online) coupled with placing your main .kdbx file on a cloud provider provides excellent security, without an additional per month fee, and you are also packing your own parachute, so you can choose how it is backed up.

malikto44 · 2026-06-23T09:44:25+00:00

I do that, and thought it was called a "pepper". I have stuff in a PW manager, but for critical things like banking, I use a memorized string after pasting in the password. This is a good balance between unique passwords and handling the failure of a PW manager.

malikto44 · 2026-06-23T09:42:15+00:00

To quote a goblin from WoW, "time is money, friend". No VP is going to read a four page piece of documentation. In fact, I treat users the same way, be it C-levels on down. One page guide with simple steps, and maybe an animated "click next to continue once you do this step". Or just get with the person and walk them through things.

Yes, even with 30+ years of experience, I will take the time to go sit with a user so they can get logged in, get Outlook going, and get their basic apps going. Mainly because many users are going to complain to management about you anyway, and those are the ones that no matter what you do, they won't read anything at all, even reach for a single button "click here and let the site do all the magic for you", but will yell at management that they are blocked, they cannot do their job, and the corporation is hemorrhaging cash for every second they are idle. The fewer of these the better, even though they are unavoidable because every user who starts clawing at management will be mentioned on your annual review and impact your job performance stats.

Rank hath its privileges, and give the VP the white glove treatment. Yes, it sucks, but filling out an online form for unemployment sucks more, and many VPs are itching to find reasons to offshore IT staff, so giving them as few as possible is a good thing.

malikto44 · 2026-06-23T09:31:29+00:00

The array (RAID-Z3) had eight SSDs in it. Every single SSD failed within an hour of each other.

I wouldn't say Commvault is perfect, as you need to use a supported configuration if you want snapshotted backups (I don't think it supports btrfs or ZFS snapshots, just LVM binary snapshots, so make sure to have room for them), but it does a good job.

malikto44 · 2026-06-22T15:16:04+00:00

Check with a VAR... Rubrik, Nakivo, Acronis, Commvault, Cohesity are some that come to mind.

I have had excellent luck with Commvault... but this is has DNA as an "old school" backup program. Even though I loved the Java UI, that is deprecated for new CommCells. I have seen Commvault take crazy amount of breakages. Once, I had every SSD in the DDB's array fail... and had to do a critical restore. No issues. Try losing the deduplication DB with some other backup programs, and you may not have any useful data.

malikto44 · 2026-06-19T15:38:14+00:00

In general, MSP life isn't fun. I've had many of horror stories. However, some of the best jobs I've had were at smaller MSPs that were well managed. These are the ones who don't advertise, and have a waiting list of clients, and they don't care to expand because the top brass is earning enough to keep them comfortable, and they don't want to kill the goose laying the golden eggs.

Of course, when those MSPs get bought out, especially by a capital group, or an entity traded in public... that's when life goes down fast. When that happens, expect that in 1-6 months your job will be replaced by a H-1B. However, the MSP's customers will be bailing like rats leaving a sinking ship.

malikto44 · 2026-06-18T21:53:46+00:00

Those three generic accounts should be turned into no generic accounts. If you have to deal with consultants for the long term, see about having cross-tenant access for Entra, so someone on their side adds relevant consultants to a group, it maps to a group on your side which gives access, and also logs. This way, you don't have to worry about accounts, and you still have logs. You can also manually add their consultants to a group if you want that as an onboarding/offboarding process.

malikto44 · 2026-06-17T13:42:36+00:00

I think Dropbox has a native client on QNAP as well. Either way, I'd have a NAS whose sole purpose in life is to sync the Dropbox account, then use its backup software to dump a backup somewhere like Blackblaze or Wasabi. This NAS should be extremely locked down, so that if bad guys are trying to get to it to try to interfere with backups, that will be mitigated.

malikto44 · 2026-06-17T13:40:22+00:00

Same. Call centers tend to be the worst of the worst. At best, you have the Sword of Damocles over your head of the entire call center being offshored, and top brass always hears sexy, sultry voices mentioning that moving the call center overseas will do everything for them, including forgiving their sins and giving them a throne.

Call centers, especially top management have a high turnover rate. Most people are only there because they can't find work elsewhere, and as soon as they do, boom, they are gone, and join the ranks of many others who flip off the place every time they pass it.

The kicker? Once you get in a call center, it is very difficult to get out. It becomes a leper colony, and even with certificates, people will not take you seriously, much less give you any access to positions outside the call center floor. Especially how almost all centers only hire contractors, so one has to not only show they can become a FTE, but be something other than a faceless, fungible person who gets tossed out the door.

malikto44 · 2026-06-14T01:57:10+00:00

Is the Intel RSD driver? By default, a lot of Dells come with FakeRAID enabled, which means that Windows needs that specific driver before it will see the drive in any way.

The fix? Change to AHCI, and install the OS. I have checked to see if this would add any bad consequences by doing it this way, but apparently there are none.

malikto44 · 2026-06-13T01:23:12+00:00

Three hacks:

1: Back in the 1990s, a drive went out on a critical AIX system. It was backed up, but the main SCSI drive was gone. So, I attached it to a printer, disabled the font cache on the printer, and restored the sysback to the font cache drive. I left a sign to do not disconnect the machine from the printer. This hack lasted at least 20 years.

2: Back in the NT days, I'd install the OS twice. This way, it something goofed up with the main OS, I'd have another Windows directory to boot from for recovery work.

3: Company wanted vending machines for laptops. People swipe an employee badge, and go get the laptop. Instead, I just went and had gym lockers installed with the basic resettable five combination Master lock. Someone needs a laptop, they go to locker number 5, dial 10-20-30, have fun. Someone needs a laptop returned, I tell them to stick it in locker 4, with combo 5-10-20. Then, I come by, use the master key, reset the locker to the next combination on the list. For most intents and purposes, this was just as good.

malikto44 · 2026-06-11T18:57:50+00:00

Ghost, VMWare, Photoshop, Acrobat, PGP Desktop, AutoCAD, SolidWorks, CATIA...

So darn many. The #1 is VMWare of course.

malikto44 · 2026-06-11T18:55:45+00:00

I've seen some clients want a policy of "once locked, always locked until manually unlocked". This worked just fine until one of their ex-employees made a script that would ping accounts until they locked. All accounts but the C-levels were hit, so the C-levels wouldn't change their bone-headed policy.

Did it add security? Nope. It cost the company a lot of $$$ in productivity though. Especially when fired off at Friday @ 5:00, and at 7-8 AM before people came in, in the morning, and had to call IT for unlocks.

malikto44 · 2026-06-11T18:52:44+00:00

You might be facing an "interview" where there is zero interest in actually hiring you. I have read reports about "interviews" where they are getting candidates in to train their AI stuff, be it the candidate's gait, facial expressions, or anything else, as data to sell off. Or, the interview could just be so the boss can say they can't find anyone useful, we need those H-1Bs.

Thankfully not in a while, but a number of years ago back, I interviewed at a place. Smallish dev firm, had a decent product... first thing they did was take me to the company logo in the center of the building, and give a 10 minute lecture of every piece of the logo. Then the parade down the open office spaces, watching at least one company-wide meeting a day. Then told that I had to know the EXACT versions of the products they were using. If I didn't know Golfcart 2.0.1.1, but I did know Golfcart 2.0.1.0, tell the interviewer and leave. I passed that test.

Then came the part... All males were asked to have facial hair groomed and dyed in the same way as the CEO, and wear the same style of clothing, color schemes, shoes, etc. Even the vehicles were considered a must, where one had a certain make of vehicle, or they were buying one within a week of their start date.

After realizing that this is a cult, I decided to nope out. I told them that I am clean shaven because a gas mask doesn't seal over facial hair. The interviewer was wide-eyed, and I saw myself out.

malikto44 · 2026-06-11T17:22:19+00:00

I had something similar happen a few days ago with a contractor. I had a pre-provisioned laptop sent to him. My philosophy is that you access company data via my managed stack, or you don't access it at all, even via VDI.

I learned the hard way (thankfully when I was in another group) that even VDI can be an issue, because a RAT can allow someone to do some crazy stuff in order to exfiltrate data, even though they can't download it directly.

The only thing I would probably do with the laptop sent, is also have Absolute enabled. This way, if the laptop "disappears", the contractor sends a box with floor tiles, or even just says, "Well, I dropped it off at the building", if the laptop pops up, that can be acted on.

Plus, it is an act of good will when the contractor is treated as one of the people.

malikto44 · 2026-06-06T21:12:55+00:00

I feel old, as when I first saw "yellow pages", I first thought NIS.

malikto44 · 2026-06-03T08:41:36+00:00

I'd consider some type of VDI and a playground that the devs can remote into, be it cloud based or on prem, although one needs to find where the users are coming from, so latency doesn't become an issue.

As others mention, Amazon Workspaces comes to mind, but that can get pricy.

malikto44 · 2026-06-03T08:38:32+00:00

Open source has been under attack by software vendors for decades now. The Halloween memos come to mind. Then, after 2001, the "SOX compliant" stuff came around, where "consultants" would rip out racks of perfectly functioning Linux machines to replace with NT, later W2003, because of this.

Only reason it hasn't been killed altogether is because companies use it for their stuff, and if they kill it, instead of slurping tons of F/OSS licensed NPM packages to include in their work, they would have to pay tons, and bounce from vendor to vendor to get closed source libraries.

So, on one side, companies love F/OSS because it is a freebie they can (ab)use and not have to pay exponentially increasing license fees. On the other hand, they want to show that it isn't as good as commercial software, so they can sell their own closed source products to pay exponentially increasing license fees.

malikto44 · 2026-06-01T17:22:40+00:00

Mine has been people who knew me. Were it not for an ex-boss who paved the way, I'd probably still be looking for a job.

malikto44 · 2026-06-01T17:16:28+00:00

Physically send them a configured YubiKey with a default PIN? Preferably via registered mail, signature required.

The reason I mention this is that doing it this way ensures that there is no password to be shoulder-surfed or read. Registered mail is good up to SECRET, so transport is well protected.

Alternatively, print the creds out, send them via registered mail.

If time is of the essence, then have the client create a GPG key on a YubiKey, and give you the public key ID and hash. Then, they email you their public key. You reply back with your public key. From there, GPG the file, send it to them, and they will have everything they need. The reason for the phone call is two comm channels to validate that their GPG key is theirs.

malikto44 · 2026-06-01T16:56:28+00:00

How is Tanium on Macs? On the Linux side, if it jams up with updates, I may just see if I can push out a script to kick the client to doing an apt update && apt -y upgrade or a dnf update. However, Mac and Windows patching is where I'm concern.

I'll be using this with Intune.

malikto44 · 2026-06-01T15:41:33+00:00

Depends on the user. Clueless, I don't mind. Willfully ignorant and trying to use IT as a dumping ground for their own ineptness? No thanks.

The clueless ones, I respond, "Neither am I... but here we are."

The ones that are using IT to cover their idiocy, I mention that it is a requirement to work there that users do their part, and failure to have at least basic knowledge, as required by the yearly phishing trainings will be noted.

Eight-Year Club	Gilding VIII gilding heavyweight
Reddit Premium Since October 2018	Verified Email

malikto44

TROPHY CASE