Hacker News new | past | comments | ask | show | jobs | submit login

I did a job where I was given access to a server in the form of a set of credentials for an HPE iLO, which was accessible over the Internet. From there, we could use the remote console to logon as root.

HPE iLO doesn't support MFA or any form of public key authentication, and its security history is much worse than SSH. It requires several ports open and the old version they had required Java plugins on desktops and all sorts of nonsense. Using it outside of emergency repairs is a terrible experience due to console refresh lag and the fact you can't copy + paste.

The reason I had to do this insecure and annoying process is that a PCI assessor had told them it would be a hard fail to have port 22 open on the Internet, but this would apparently be fine.




I don't know... I mean, maybe the security posture is to annoy the hackers into giving up?

("This thing requires a Java applet and is slow as hell. Screw it, let's just pwn the bank across the street")

I'll call it Security by Inconvenience.


That reminds me of a post[0] on alt.sysadmin.recovery.

The hackers were annoyed by the compromised machine so they installed security updates and did other system administration tasks.

[0] https://groups.google.com/g/alt.sysadmin.recovery/c/ITd7OlMr...


Amusing but today there’s two kinds of hackers: people who manually run a campaign like in your story and the endless hordes of bots that automatically exploit systems to turn them into botnet slaves or cryptolocker hostages.

You can’t inconvenience a bot.


I vaguely recall some kind of malware that upon infecting a system scanned the system for other malware and removed/disabled it. The motives were far from pure, obviously. (Although there also was a case, I think, of a piece of malware specifically created to ensure "infected" system had up to date AV software and were up to date update-wise. We sure live in strange times.)


That's why your security solution should include a mix of every known technology, hackers need to know everything from COBOL to rust


Such strategies are remarkably effective, and maybe arguably describes all security in a nutshell.

Every time I notice an obscure feature in a Google product or service and go "hm, I wonder if that could be exploited", I then always go "...meh, it'll take too long and require too much concentration to figure it out."


No, not at scale. You may be discouraged, but there's someone who will have lots of fun breaking that specific feature.

See for example @jonasLyk who spent the last half a year (?) trying to abuse almost only the alternative streams and junction folders in windows.


Wow, this guy is mad

https://twitter.com/jonaslyk

I can't help but picture him as a sysadmin walking away from a bunch of servers that are mysteriously 40% faster than ever before, but then he gets stopped at the door of the datacenter by some unimpressed looking lawyers who glare at him until he puts everything back

Thanks for the reference, and fair point, yeah that's not how it works at scale.


The new Ilo has a "HTML5" and Java console. But 3 wrong passwords and your blocked for 10 minutes (by default).


PCI QSAs are notorious for being complete jackasses. You have to be very careful about vetting them. That isn’t the dumbest thing I’ve heard like that!


Too annoying. I would’ve shut off SSH for the “assessment” then moved it to a different port after.


SSH doesn't have to be on port 22. you can leave an empty honeypot on port 22 and run SSH on whichever port you like




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: