It's somewhat easy to fix, but really, I have to give them credit on the release... within 24 hours of learning of the exploit, they had a fix that was then pushed out. I'm sure their testing is slowly catching up with the initial fix, but in the big scheme of things, I'd rather have a secure box and temporarily broken file sharing (that can be fixed with the following command): Code: sudo /usr/libexec/configureLocalKDC than an insecure box and working file sharing. All in all the fix wasn't perfect, but it was commendable in it's speed and relative effectiveness. I'd give it about an 8/10.
The complexity difference between the two is orders of magnitude. This fix was a minor change to some validation code, whereas the WPA2 vulnerability was crazy complex and had the potential to fuck up a LOT of things. That was a problem with the core protocol, and any fix that they did had to be tested an insane amount against other devices to ensure that it would still work. It's one thing to fix a small problem that you alone control, but to fix a vulnerability that was industry-wide, while ensuring that you didn't brick anything in the process, is daunting.
Right, but they didnt seem to start responding to it until it was widely publicized in October. US-CERT notified manufacturers in August, other manufactures patched their clients accordingly. Microsoft released theirs on October 10th.
Oh, absolutely... they are abysmal at "officially" recognizing problems... even in this case. There were support forum posts talking about this "workaround to logging in" for weeks, but it was only brought to their attention very publicly yesterday. The official channels into Apple are convoluted and almost nonexistent. Even as a high-priority IOS developer we had problems getting a hold of people... we usually had to email a dev we met at a conference and get him to ping someone internally. They really, really need to fix that shit. I guess you could say that I tend to empathize too much with the developers having to fix the problems, and not really look at the whole company picture.
It honestly must be a bureaucratic nightmare at Apple. Red tape a mile long just to pass something from Beta to full release. And I completely recognize the need to test, but I had a sour experience with Apple over the summer so Im pretty bitter toward them. Binding to an Samba 4 LDAP and then turning on File Vault completely bricks Sierra to the point of having the wipe out the whole disk and starting over. It didnt happen on Capitan or other OS versions. Now, thats a poor order of operations, but such an easy button to click should not be fucking up the entire installation. After having the issue escalated to some senior engineering department at Apple, they basically said, "Yeah we can replicate it and its definitely a bug, but we're not going to fix it because we dont care about linux LDAPs," or something equally inane.
Yeah... OS X is not something that I'd want use in a typical Corporate Environment... the big problems are when you go looking for Microsoft-type administration in OSX... they tried, but not very hard, and it blows goats. I run Server on my home boxes, more for a few simple network caching and time machine services, but none of the account admin stuff. That being said, if you basically treat each laptop as an individual, and use Google Apps as your "MS Office" suite, it works great. We have over 150 employees mostly using OSX, and it works out great. So far the only IT support that has been issued is "don't update to High Sierra."
That’s exactly what we do. G-Suite has been pretty great, and we have some developers in-house that worked on it at Google so that doesn’t hurt either. I’m moving everything to outsourcing services as much as humanly possible to keep it lean.
Nice... it's easy to lose sight of what your core business is, and what the company REALLY needs to do in-house in order to support that core business.
For anyone doing security, infrastructure or SRE: what do you use for cloud security monitoring? We use ThreatStack to monitor our AWS production EC2s, but they really aren’t that great at really anything. The alert suppression and logging capability are garbage. Their compliance monitoring is OK, but incomplete. The customer service sucks. They got a huge funding round a year ago and I don’t see any discernible feature improvement, which means they probably spent it all on sales staff. As soon as our series C clears, I want to move to something else, even if it means more $$.
I use Detectify (https://detectify.com) for some stuff, and a few internal open source projects for other aspects (like AWS policy checking, etc). It really depends on specifically what you're looking to test for, and why. As to infrastructure, that's a whole other topic that has a ton of moving parts to it... we (partially) subscribe to Chaos Engineering concepts, at least as much as our clients will (literally) buy into it... You may get some good value out of watching this talk by Adrian Cockroft... I used to work with him way back when he was at Sun, and then he went on to do little things like engineer Netflix and AWS. Really smart fucking dude, and has a great way of explaining infrastructure/architecture design concepts/goals. If I remember correctly he touches on various aspects of security, such as using a Red Team, and some external consultants that can help.
Yeah, start at 32 minutes and he starts talking about Red Teams and other security concepts/ideas/options.
Thanks, Ill check the video out. Everything we need to do revolves around regulatory compliance (HIPAA, GDPR) and certifications (SOC2, HITRUST), which we already have. We started using Threat Stack for their IDS and DLP features, along with how they deal with CloudTrail, but its just too unintuitive for us to deal with and some aspects of logging details are surprisingly lacking. Given that we will likely quadruple in size over the next 18 months, Id rather deal with this now than later.