This one beats them all and it’s going to make me laugh until tonight:
-
@stefano In a previous role, I used to sometimes triage what were generously called vulnerability reports on our software product. I wish I had a dollar for every one which began "Step 1: Become the administrative user."
@carson This is funny! But yes, this happens. When those asstments start with “if a superuser will start a vulnerable service running as root, and opens a firewall port, and gives the address to others, and and and and…”
-
@stefano Give him your user and the root password just to make sure the pen test goes as expected
@lfa Wise idea. I will
-
This one beats them all and it’s going to make me laugh until tonight:
“I’ve been assigned to carry out a penetration test on a server you manage. The test will be performed from the outside, since the perimeter security needs to be assessed. In order to perform the test, I therefore ask you to disable any firewall, protection, blacklist. If any of these are in place, the server might not be reachable and could prevent the assessment.”
I had to read it three times just to make sure I’d understood it properly.
@stefano Is "outside" in this specific case the pen tester standing in the car park shouting obscenities at the building because they can't get in?
-
@stefano Is "outside" in this specific case the pen tester standing in the car park shouting obscenities at the building because they can't get in?
@greem Yes, it probably is
-
@carson This is funny! But yes, this happens. When those asstments start with “if a superuser will start a vulnerable service running as root, and opens a firewall port, and gives the address to others, and and and and…”
@stefano @carson Raymond Chen @ Microsoft occasionally posts stories about “the other side of this airtight hatchway”, or security vulnerability reports which require escalation first, which always give me a chuckle.
I don’t think there’s an index, but you can search “site:devblogs.microsoft.com other side of the airtight hatchway” to find them.
-
This one beats them all and it’s going to make me laugh until tonight:
“I’ve been assigned to carry out a penetration test on a server you manage. The test will be performed from the outside, since the perimeter security needs to be assessed. In order to perform the test, I therefore ask you to disable any firewall, protection, blacklist. If any of these are in place, the server might not be reachable and could prevent the assessment.”
I had to read it three times just to make sure I’d understood it properly.
@stefano "little pig, little pig, let me come in?"
"That's not how pen testing works, big bad wolf."
-
@stefano the assessment: "adding firewall, some protection, and blacklist would significantly improve security of the server".
Can I send them my bank account number?
In all fairness security shouldn't depend on any one layer of protection, but yes, this is really rather ridiculous. So yes, Stefano, I'm pretty sure you understood the request correctly.
Let's also make sure indeed that they also have login credentials that will let them log in as root. Maybe email them the SSH host private keys while we're at it?
-
This one beats them all and it’s going to make me laugh until tonight:
“I’ve been assigned to carry out a penetration test on a server you manage. The test will be performed from the outside, since the perimeter security needs to be assessed. In order to perform the test, I therefore ask you to disable any firewall, protection, blacklist. If any of these are in place, the server might not be reachable and could prevent the assessment.”
I had to read it three times just to make sure I’d understood it properly.
@stefano "please open an attack vector for me. I need to get paid"
-
This one beats them all and it’s going to make me laugh until tonight:
“I’ve been assigned to carry out a penetration test on a server you manage. The test will be performed from the outside, since the perimeter security needs to be assessed. In order to perform the test, I therefore ask you to disable any firewall, protection, blacklist. If any of these are in place, the server might not be reachable and could prevent the assessment.”
I had to read it three times just to make sure I’d understood it properly.
@stefano yeah these are ridiculous. Why the hell would you disable your firewall? Also these aren't penetration tests, they're just vulnerability scanners.
-
This one beats them all and it’s going to make me laugh until tonight:
“I’ve been assigned to carry out a penetration test on a server you manage. The test will be performed from the outside, since the perimeter security needs to be assessed. In order to perform the test, I therefore ask you to disable any firewall, protection, blacklist. If any of these are in place, the server might not be reachable and could prevent the assessment.”
I had to read it three times just to make sure I’d understood it properly.
@stefano "my nmap isnt coming back with anything and I need something to put in my report"
-
@stefano "little pig, little pig, let me come in?"
"That's not how pen testing works, big bad wolf."
@jspath55 yes, exactly!
-
In all fairness security shouldn't depend on any one layer of protection, but yes, this is really rather ridiculous. So yes, Stefano, I'm pretty sure you understood the request correctly.
Let's also make sure indeed that they also have login credentials that will let them log in as root. Maybe email them the SSH host private keys while we're at it?
-
This one beats them all and it’s going to make me laugh until tonight:
“I’ve been assigned to carry out a penetration test on a server you manage. The test will be performed from the outside, since the perimeter security needs to be assessed. In order to perform the test, I therefore ask you to disable any firewall, protection, blacklist. If any of these are in place, the server might not be reachable and could prevent the assessment.”
I had to read it three times just to make sure I’d understood it properly.
@stefano Are they testing the equipment or are they testing the staff? (Though anyone who falls for someone asking them to do that deserves to be sacked.)
-
@stefano "please open an attack vector for me. I need to get paid"
@clf or "open an attack vector, otherwise I don't know how to proceed"
-
@stefano Are they testing the equipment or are they testing the staff? (Though anyone who falls for someone asking them to do that deserves to be sacked.)
@beecycling officially, "how the services are vulnerable from the Internet"
-
This one beats them all and it’s going to make me laugh until tonight:
“I’ve been assigned to carry out a penetration test on a server you manage. The test will be performed from the outside, since the perimeter security needs to be assessed. In order to perform the test, I therefore ask you to disable any firewall, protection, blacklist. If any of these are in place, the server might not be reachable and could prevent the assessment.”
I had to read it three times just to make sure I’d understood it properly.
@stefano At my previous job company hired someone for such test. One of requirements was to install their a server on our network for duration of test. So they can better understand network topology and services to test.
-
This one beats them all and it’s going to make me laugh until tonight:
“I’ve been assigned to carry out a penetration test on a server you manage. The test will be performed from the outside, since the perimeter security needs to be assessed. In order to perform the test, I therefore ask you to disable any firewall, protection, blacklist. If any of these are in place, the server might not be reachable and could prevent the assessment.”
I had to read it three times just to make sure I’d understood it properly.
You couldn't make that up.
-
@stefano At my previous job company hired someone for such test. One of requirements was to install their a server on our network for duration of test. So they can better understand network topology and services to test.
@anparker this makes some sense. They can study the network from inside. But still...
-
@mms You deserve it much more than them
-
@stefano yeah these are ridiculous. Why the hell would you disable your firewall? Also these aren't penetration tests, they're just vulnerability scanners.
vibes