[robzyb]

This is a criminal act, and of course I don't condone it, but at the same time I do hope that some good comes out of it - particularly with regards to the attention which all organisations given to IT security.

Most organisations wouldn't feel comfortable with:

a) Not having locks on their buildings

b) Having known-defective locks on their building

c) Not doing regular audits of the locks their using vs. what criminals can crack

d) Not having reasonable organisation-wide policies to make sure the locks are used properly and kept secure

Yet I don't think that there is quite enough attention given to IT security. It still seems like primarily a "box ticking" exercise, or a case of throwing rules and regulations at the problem which make sense at face value, but are inherently flawed.

[johncolanduoni]

In the US at least a lot of organizations and most homes have piss-poor locks that are a lot easier to pick than their IT security is to crack. I'm not saying you're wrong, but it's not the best analogy.

[noir_lord]

We lost the key for the bedroom window the GF seemed positively shocked when I took a small flat-headed screwdriver and 'picked' (I use quotes because it wasn't really picking since I only had to push in two places and the lock popped) it in under 90s.

A lot of security is visual deterrent and to make legal clarity in the instance of "Did you enter the room or break the lock then enter the room?" since former doesn't imply criminal intent, the latter does.

[ams6110]

A person can still be guilty of "breaking and entering" if a house is unlocked. But breaking/picking a lock definitely is a stronger case.

[nerdponx]

But that's commensurate with the apparent risk. You don't have someone walking up to your office or home door and trying to bump the lock every 30 seconds like you have on, say, your SSH port.

If there were as many offline crime attemptps as there were cyber crime attempts, you would definitely see more investment in physical security.

[feld]

Bad security is bad. Nobody should leave ssh open to the internet at large at this point.

[roenxi]

Furious agreement that locks aren't a great analogy. I'd hazard that for most organisations locks are actually to remove temptation from employees; and the quality of the lock is largely irrelevant.

A lock is only as good at stopping someone entering as the windows and doors are resistant to being removed. The advantages to locking something are: * There is evidence that the door was forced after the event * Very clear signaling of who is and isn't supposed to have access to a room.

Unless serious money is spent, I would expect that locks are delaying access by a matter of maybe up to hours. If IT security were that poor, the world would look different. A better analogy would be spending the money on security guards.

[gozur88]

I locked myself out of the house one day and called a locksmith. It took him less than thirty seconds to pick the lock on my front door.

You're right about the signaling aspect, though. You can't very well pretend you didn't know you were supposed to be in a room if you had to get past a locked door to get in.

[closeparen]

Except when organizations decide it would be too much of a security risk to give every authorized person keys/cards, or doesn't do so in a timely manner. Then the one designated key-holder is too busy/important to personally let everyone in, so the "secure" door gets propped open and/or opened in response to a knock from anyone, authorized or not. When low-level but authorized staff need access to further secure spaces, they start by tracking down someone with higher access privileges to borrow a card from. People with high-privileged access then start to reflexively toss their credentials to anyone who asks, because most of the time the request is necessary.

Super common with event venues during rehearsals and preparation (below the level of production value where there's a security desk checking IDs).

[RyJones]

My locksmith didn't pick my lock. He asked if I wanted a show of lock picking or my door open. I said open. He turned the doorknob, held it on the stop, leaned on the door, slid in a thin plastic shim, and turned the doorknob the rest of the way.

Impressive!

[problems]

Yeah, a total amateur can learn enough to pick the locks on most homes and padlocks with a grand total of about $3 worth of tools and an hour or two of experimentation.

Now, some businesses use better stuff - Abloy or Medeco stuff, but many still don't.

[EthanHeilman]

>c) Not doing regular audits of the locks their using vs. what criminals can crack

Any business that did this would quickly discover that all their locks can be quickly bypassed by criminals.

Physical entry is easy to do but involves much more risk. Remote entry via computers is much harder but much less risky.

[KaiserPro]

Post production security is notoriously strict, well for visual effects and finishing at least.

there are regular audits, that test physical and software security.

the most notable being that all areas dealing with content must be on a separate air gapped network, with physical locking capable of logging.

[meddlepal]

Security is sadly an afterthought because good security is expensive and the penalties or repercussions for being breached are generally inconsequential.

[KaiserPro]

Not in post production.

I have been through the industry body audit, and it sucked.

We had to remove internet access for the entire staff, and give them locked down RDP instead.

That made us _very_ popular.

[milankragujevic]

I'm interested in what you used to host the RDP sessions? Windows Server? A separate VM for each user? Something else? I'd like to apply that approach for my own personal uses and cloud computing but am having difficulties learning about the proper way to setup a thin-client architecture with RDP.

[KaiserPro]

https://www.nomachine.com/enterprise

^ that basically. A number of large servers (ex file servers in this case, so 2x e5-2690v2 and 384 gigs of ram).

Each person uses an AD login to connect to a terminal server. We would get about ~200 to a server, assuming people didn't have too many tabs open.

If you want smooth browsing, then you'll need to limit tabs and adverts. Cgroups will help you in memory allocation per user.

[AdamJacobMuller]

Interesting stuff.

Doesn't even the relatively small amount of latency introduced over RDP make things like video/audio editing difficult and dealing with things like audio sync impossible?

Or were/are they doing something where the actual video/files/apps are on the local machine, but any outside access is via RDP only?

With those kind of stringent controls, how do you think they could have gotten in?

[KaiserPro]

Very much the later.

as for how they did it..

I only have experience with Visual effects, the post house that was "hacked" was an audio place.

They are much smaller, and have much less engineering staff to deal with this sort of thing.

If I was a hacker, I'd be targeting the FTP/aspera server, or the cinesync machine(its a way of showing what work you've done without having to move the data, like logmein, but colour correct, and with doodling features.)

Or they might have just walked in dressed as a runner and stole a bunch of drives.

[KaiserPro]

I should point out it was a linux terminal server.

much much cheaper. seemed to scale reasonably well too.

[closeparen]

Most organizations' doors are made of glass.