• 0 Posts
  • 48 Comments
Joined 1 year ago
Cake day: June 7th, 2023
  • sylver_dragon@lemmy.worldtoCybersecurity@sh.itjust.worksWhy Pay A Pentester?English
    2·
    13 hours ago

    While the broader cybersecurity field has seen rapid advancements, such as AI-driven endpoint security

    Ya, about that “AI-driven endpoint security”, it does a fantastic job of generating false positives and low value alerts. I swear, I’m to the point where vendors start talking about the “AI driven security” in their products and I mentally check out. It’s almost universally crap. I’m sure it will be useful someday, but goddamn I’m tired of running down alerts which come with almost zero supporting evidence, pointing to “something happened, maybe.” AI for helping write queries in security tools? Ya, good stuff. But, until models do a better job explaining themselves and not going off on flights of fancy, they’ll do more to increase alert fatigue than security.

  • sylver_dragon@lemmy.worldtoAsklemmy@lemmy.mlWhat is your criteria based on which you feel something someone says calls for proof or not?English
    1·
    6 days ago

    One idea to always go back to is:

    Extraordinary claims require extraordinary evidence

    • Carl Sagan

    This can be tough to evaluate sometimes, but it’s a good general idea.

    Does the claim sit outside the natural world as currently understood by scientific theory?
    If yes, then there’s going to need to be a lot of evidence. If not, the level of evidence is lower.

    Does the claim involve a low probability event?
    If yes, then more evidence is needed of that event.

    Does the claimant have a stake in the claim?
    For example, does the person get money, fame or other stuff by getting people to believe the claim? If so, more evidence should be required.

    What type of evidence would you expect to see, if the claim were correct?
    When things exist, they tend to leave evidence of their existence. Bones, ruins, written records, etc. If someone says something exists, or used to exist, but they should have archeological/anthropological evidence to back it up.

    Sure, it’s always going to be a bit subjective as to what requires proof. And for a lot of low stakes things, there’s no point in going after it. If someone claims to be from Pitcairn, then what’s the point of questioning it? Just say, “huh, cool” and move on. If someone is trying to convince you that an historical figure existed, and that should effect how you see the world, maybe ask for as bit more evidence.

  • sylver_dragon@lemmy.worldtoGames@sh.itjust.worksMicrosoft Lays Off Another 650 Staff From Its Video Game Workforce, Xbox Boss Phil Spencer Sends Memo to StaffEnglish
    1·
    6 days ago

    While I hate the idea of people losing their jobs, stepping back for a moment and looking at what they are claiming, its not terribly surprising:

    Spencer said the roles affect mostly corporate and support functions

    When companies merge, this is kinda needed. You don’t need two fully functional HR departments. While the HR staff from the buying company will likely need to expand, it won’t be by the same amount as the HR department of the company being bought. As network functions are merged, you probably don’t need all of the IT staff which came with the merger. A lot of management functions likely end up merged, meaning redundancies. And this sort of thing is going to move through a lot of the non-project work functions of the company.

    Yes it sucks. But, it’s to be expected in a merger. Now, whether or not we want this level of consolidation, that’s a different ball of wax entirely. The last thing we need is more studios falling under the sway of these massive companies. That’s the thing which should be drawing our ire.

  • sylver_dragon@lemmy.worldtoCybersecurity@sh.itjust.worksNew Linux Malware Campaign Exploits Oracle Weblogic to Mine CryptocurrencyEnglish
    2·
    6 days ago

    Not really. IP addresses are really easy to change. And doubtless the threat actors will see that their IPs have been identified and will roll them over soon. The solution is to go after the tactics the attackers are using:

    The attack chains exploit known security vulnerabilities and misconfigurations, such as weak credentials, to obtain an initial foothold and execute arbitrary code on susceptible instances.

    1. Install your updates. If you have a server open to the internet and you haven’t patched known exploited vulnerabilities, you deserve to have your network ransomed.
    2. Many products have either vendor provided or useful third party security configuration guides. While there are situations where business processes prevent some configuration changes, these guides should be followed when possible. And weak passwords should not be on that list.

    EDIT: for Oracle Web Logic, you do a lot worse that going through the DoD STIG for it.

  • sylver_dragon@lemmy.worldtoAsklemmy@lemmy.mlWhat is a low technology you really love ?English
    13·
    7 days ago

    I was always terrible with knots growing up. My father spent far too much time trying to teach me a basic trucker’s hitch and sadly never got to see me really “get it”. Then, when my own son was in Cub Scouts and supposed to learn some basic knots, something just clicked in my mind and I took an interest. The bowline was the gateway knot for me and learning that led me to finally apply myself to the trucker’s hitch. Just such a useful pair for tying up a load. I can understand why my father really wanted me to learn it.

    Now, I keep a length of paracord on my desk and will fiddle with it, practicing knots whenever I’m doing something that leaves my hands free. And ya, having a basic set of knots down is just damned handy.

  • sylver_dragon@lemmy.worldtoAsklemmy@lemmy.mlLooking for advice on hobbies and whether I should continue rock climbing?English
    2·
    14 days ago

    I took up indoor rock climbing a couple years ago, partly because I have a similarly sedentary job and hate most forms of exercise. I can certainly understand the draw. I go 2-3 times a week and have stuck with it for so long because it forces me to get out of my head, but also doesn’t require dealing with strangers as much. It’s just a clam, focused activity which also happens to work my body.

    Unfortunately, as a hobby, rock climbing is going to work your hands and arms. I would say that, as I have gotten better, I do a better job of using body position to prevent having to hang by my hands. But, just the other day, my foot slipped and I was hanging on by my fingertips for a couple seconds. And harder climbs may require you to engage your hands more. Though again, body position and technique counts for a lot.

    Best advice I can give is: talk to your doctor. They will know more about how your condition will be affected by climbing and what your options are. Certainly more than random idiots on the other side of the internet.

  • sylver_dragon@lemmy.worldtoCybersecurity@sh.itjust.worksWhere's a good place to look for entry-level GRC jobs?English
    3·
    14 days ago

    If you are located in the US and aren’t currently a complete fuck-up, the Federal Government can be a way into the GRC side of cybersecurity. Between civilian and DoD sites, they have analysts and auditors all over the place and always seemed in need of folks willing to pour over checklists and OQE artifacts. This first place to look for positions in that vein would be on usajobs.gov. Though unfortunately, the FedGov made the decision to classify both GRC and sysadmin positions under the 2210 category; so, you’ll probably have to dig through a lot of sysadmin listings.

    Another path into similar positions is to look for FedGov/DoD facilities in your area. Once you find one, take a drive around the area and look for the names of businesses in the area and start researching those businesses and their open positions. There will almost certainly be the big ones, like Booze-Allen Hamilton, BAE, Boeing (yes, that Boeing. They do a lot outside of crashing aircraft), etc. But there will be a plethora of smaller companies with seemingly random names and little public facing who supply the local site with hordes of contractors. And, while these are contractor positions, they are a lot more stable than contract positions in the private sector. I spent 6 years as such a contractor and only stopped being one when I took a job elsewhere.

    I will say that “entry level” is going to be harder. No one wants to hire an train someone without experience, which puts you in a catch-22. For all the suck involved, you may want to consider putting in some time working a help desk. At minimum, it keeps you in proximity to the field, teaches you something about systems and provides related, if not direct, cybersecurity experience.

    Best of luck.

  • sylver_dragon@lemmy.worldtoAsklemmy@lemmy.mlWhat do you do to feel like you're part of everyone else and in a way cope with some of the pressures of life around you?English
    1·
    20 days ago

    What do you do to feel like you’re part of everyone else and in a way cope with some of the pressures of life around you?

    I stopped giving a fuck about everyone else. I do what makes me, my wife or my kids happy. The rest of the world can go stuff a sock in it. Sure, I like to keep up on news and politics and will go read related sites when I have time and energy. I also listen to several podcasts and follow several Youtube channels. But, those are all things I do because I want to do them. If I’m not feeling like doing one of those things, I don’t. I also work and so have to keep up on the aspects of life related to that; but, I don’t pretend to be interested in things just to make coworkers happy. I am employed to do a job, they are employed to do a job. Sometimes we do a job together and I focus on the work at hand. And yes, I do socialize a bit with my coworkers as we have some shared hobbies and interests. But, if they start going off about basketball, I let them say their peace and then move on. It’s not my cup of tea and I feel no need to engage with it.

    One of the most important secrets to life is learning to set boundaries. Don’t let other peoples’ wants become your needs. Be who you are because it’s who you want to be. If other people can’t deal with that, then they can go put their problems somewhere uncomfortable for them.

  • sylver_dragon@lemmy.worldtoFuturology@futurology.todayLos Angeles is in a 4-year sprint to deliver a car-free 2028 OlympicsEnglish
    7·
    21 days ago

    LA will be “car-free” for the Olympics. For definitions of “car-free” which include crippling car traffic everywhere except tiny islands around a few select locations. Said locations being strategically placed to make the crippling traffic worse everywhere else. And once it’s all over, everything which was built out will be allowed to fall into disuse and disrepair. As is the Olympic Tradition. But, at least, a bunch of large companies will make a lot of money, with all of the expenses covered by California and LA tax payers. Again, in the best Olympic Tradition.

  • sylver_dragon@lemmy.worldtoAsklemmy@lemmy.mlWhat's an IT profession that is realistically possible to self-study for and become proficient enough in to get employed within a year?English
    8·
    7 months ago

    The first thing to answer is, where do you want to end up?

    If your goal is development you probably want to start learning the basics of programming. You can get some of the academic side of things, for free, from sites like MIT’s Open CourseWare site. Their Introduction to Computer Science and Programming in Python is going to be a solid start in that direction.

    For systems administration, it can be good to start with the classic CompTIA Trifecta:

    The study process for these should, at least, get you understanding the language of systems. I’d also suggest spending time learning Linux and maybe even consider the Linux+ cert, even if your plan is to be a Windows admin. Learning Linux often means learning a lot about how Operating Systems work in general and you can carry that learning into the Windows world where so much is abstracted away and hidden. It’s also worth spending time learning about Kerberos, DNS (because it’s always DNS) and Active Directory. Even if you work with Linux, you’re very likely to have to interact with Active Directory (AD). Having basic knowledge of AD will be helpful for those touchpoints.
    Also, if you plan to work in SysAdmin, expect to spend some time working a help desk. It’s possible to skip this, but businesses don’t like putting untested people in charge of servers. You’re going to fuck up as you learn, this is usually less damaging when done on endpoints than servers. Suck it up butttercup and get the experience.

    For network admin, I’m not as helpful. As others have suggested, getting an old switch and seeking Cisco certs is likely to be a solid start.

    For “Cloud” based engineering, the major vendors all have certification paths. Azure, AWS and GCP all have pages you can research their certs. I’d go with AWS or Azure, as I hear more about them. But, that may just be the bubble I work in.

    If you want to go into cybersecurity, go work in either systems or network administration for a few years then come back and look at transitioning. While Cybersecurity is the new hotness, you’ll really benefit from a solid understanding of how the systems and network admin folks work. Sure, I have met some folks who went straight into security and did well. I’ve met far more who had zero clue about basic things like, “why is this sysadmin running psexec against this server?” I’m sure I’m pissing a lot of people off with this paragraph, but cybersecurity is not an entry level IT field.

    Mostly, what you need is a natural curiosity and a willingness to try things and break stuff. Succeeding in IT is pretty easy, if you are willing to constantly be learning and trying stuff. The minute you get tired of learning or trying new things, it’s time to move into management.