[ccurrens]

> If you find password protected zips in the release the password is probably either "Intel123" or "intel123". This was not set by me or my source, this is how it was aquired from Intel.

Can't say I'm surprised, people are lazy.

Another large tech company I used to work for commonly used an only-slightly more complex password. But it was never changed, so people who had left the team still could have access to things if they knew the password. It was an entry point into the system more than the company's Red team.

[schmichael]

Password protection may have been used to bypass antivirus and other filters. While you should treat dumps like this with a lot of suspicion, treat password protected zips with a heaping dose of care as they may have been used to evade automated defenses.

[pjc50]

Yes - but not for hostile purposes, but because your own company's antivirus won't let you mail an executable to a colleague.

[marcosdumay]

Usually this. Or in my workplace, an image.

Antivirus are some crazy shit that may trigger on any random action and will teach people to follow the most unsafe procedures without questioning, so they can get anything done.

[myself248]

I've heard it put this way: If you force users to trade convenience for security, they will find a way to obtain convenience at the expense of security.

[akira2501]

> If you force users to trade convenience for security

I _wish_ it was better security they were making the trade for. It often isn't though. These programs are large, expensive, and don't do much most of the time. I feel there's a perverse incentive for developers to make their AV products as noisy as is possible to justify their own existence.

And yet.. even with full AV rollouts locked down at the highest level, bad actors still get into networks and exploit them. So, to me it feels like our users are trading away their convenience for our misguided CYA policies.

[NegativeLatency]

There was that one AV with a JS interpreter running as root

https://news.ycombinator.com/item?id=22544554

[lmilcin]

The truth is, you don't need much in the way of AV software if you are willing to outright block certain types of files.

In most large corporations you are basically not allowed to send anything that could even potentially hide a virus except for maybe Office files (nobody yet built a compelling alternative to Powerpoint and Excel).

Typical rules already block all executable binaries, scripts and password protected archives (because they could hold binaries or scripts), etc. As a Java developer I have recently discovered my company started blocking *.java files.

[majewsky]

My guess/fear is that most AV software gets deployed because some insurance policy requires you to tick that box.

[hinkley]

If you make it harder for people to do the right thing than the wrong thing, they will choose the wrong thing.

This has been brought up a million times in the context of DRM, but it is true in the general case as well.

[tombert]

I could be mistaken on this, but wasn't this basically the sales pitch for Spotify? Basically saying "you'll never get rid of piracy, but you can compete with it".

[TeMPOraL]

It's true, and often it's not laziness - corporate security measures are often focused only on denying access, and they're so overbearing that, were they followed to the letter, they could easily shut the company down. It's through workarounds that actual work gets done.

[Nasrudith]

Sounds like a large organizational incentive intergration failure where subpieces are at odds such that they care more about dodging blame and outside of their domain it isn't their problem. "Not My Fault/Not My Problem" as a toxic approach making balancing decisions worse.

[vmilner]

I remember having issues with a corporate email system where base64/uuencoded data would fail to get through with a very rough dependency on size - large files had a smaller chance of getting through but it was clear that there wasn't a hard size limit. Eventually someone twigged that the problem was a "rude word" scanner, and that beyond a certain size you would hit the "scunthorpe" problem, and forbidden words would appear in the ASCII text randomly.

[rodgerd]

The thing is, usability is security. People will do anything to be able to do their job (because people like being able to, you know, eat and stuff). Things that stop you doing your job are bad for security.

I wish more of the security industry would get their frigging heads around this. PGP did less for messaging security over decades of availability than iMessage and Signal did in a few weeks of availability.

[sjg007]

Antiviruses will quarantine compiler output...

[silverdemon]

This 100%. I recall many a fun night at $BIGCORP burning the midnight oil, receiving the warning emails that my "unauthorised software" had been reported to my manager, and that it had been quarantined away for my own safety and convenience. Given that $BIGCORP was a tech firm my manager would be intensely delighted that they would receive regular midnight notifications that I was doing my job. Whatever that damn thing cost it would have been cheaper to let the malware do its thing.

[nine_k]

Windows development seems to be fun as of recently. Didn't touch it for couple of decades.

Sometimes I think that modern Windows is a nice platform already, even comfortable. (Like, you know, C++17 is very unlike C++98.) But then I'm reminded of the necessity to run an antivirus in front of it in a corporate environment.

[AlotOfReading]

At one company, Symantec would also quarantine the compiler and build system. It certainly made builds exciting to have the antivirus playing Russian roulette with the entire toolchain.

[mcdevilkiller]

Every time I went to configure a toolchain on Jetbrains' CLion, Cmake would create some test files and compile them. Windows Defender deleted every file and even the embedded toolchain. Fun :)

[Spooky23]

Of course many places have replaced dopey AV with creepier advanced tools like ATP or CrowdStrike.

[pixl97]

Ugh, welcome to my life.

"You must exclude our program sub directory because temporary files are created containing interpreted code and your antivirus will ether block it outright, or lock the file so long you get application time outs"

[TheSpiceIsLife]

Let’s call a spade a spade.

Antivirus software is malware.

[danudey]

In February, I e-mailed a python script to one of our developers to help debug an issue with their SSL configuration.

Two days ago, I needed the script again but couldn't find it. Went to our e-mail thread and it said "the following potentially malicious attachments were blocked", showing mine, but... even from my outgoing mailbox? That seems ridiculous and problematic, considering that it sent fine at the time.

I know that e-mail shouldn't be used as a replacement for Sharepoint or Dropbox or whatever, and I should have a local copy of what I need, but it just seems annoying and arbitrary.

Anyway, I just logged into Outlook Web and downloaded it from the message there. Problem solved.

[majewsky]

If I had to deploy AV for mail, I would absolutely scan outgoing mail as well. Imagine if some compromised mail account in my org sends malware to accounts in other companies. These companies could then sue my company for negligence if they can show that we did not scan our mail for viruses on outbound (which could potentially be done by examining mail headers).

(I am not a lawyer.)

[dillonmckay]

This has happened to me with gmail. Zipfiles I had sent in the past are no longer allowed to be downloaded from my sent items folder through the standard interface.

[stefan_]

Your company's antivirus, or GMail. A binary? A zip with a binary? Nuh-uh.

[Delk]

To be fair, emailing binaries (apart from known types such as images, PDFs, etc.) is a rare enough use case for legitimate purposes and an easy enough way of spamming malware to clueless random people that it's probably a reasonable default for gmail.

Having an option to allow them might be okay though. (I barely use gmail so I don't know if it has one or not.)

[sjg007]

Ah you must be young...

[totetsu]

for not using gmail? The hooked me in school

[scruffyherder]

I use vmdk’s

Seriously I don’t know how long it’ll last but a zip file into a fat32 disk image in a vmdk got through just fine.

The bonus is that 7zip can extract from vmdk.

[hnick]

We just rename our files with .novirus on the end. I assume the main point is to stop executables from outside running with a click, or internal forwards of the same by compromised users which is why it's so easy to bypass.

[swiley]

Shouldn’t you put it in either eg artifactory or a code repo?

[somehnguy]

Yes. Whenever I email or transfer a zip via any method really I always put a basic password on it.

I've been bitten way too many times by dumb filters that pick some file out of the zip and declare that it is malicious. I also don't trust messenger apps to not pull my files out and do who knows what with them. A basic password prevents this junk 99% of the time for almost no effort.

It won't stop a determined system from cracking the password. But that isn't what I'm trying to defend against.

[saagarjha]

Gmail doesn't seem to like archives it can't open :/

[neltnerb]

Ah, the halcyon days of merely changing the file extension from .exe to .txt...

[jon-wood]

This brings back happy memories of a college (senior high for the Americans in the audience) computing teacher finding a friend and I had been writing irritating malware instead of doing actual work, and his only comment being “if you’re going to email that to yourself change the extension so it doesn’t get flagged for IT support”.

[j1elo]

Gmail won't even let you send a JAR file, or a zip you made out of a project where it happens to be a .jar file somewhere deep in some random subdirectory.

[Spooky23]

IIRC, You can do it by embedded the content into an Office file, which is a zip file.

[lmilcin]

I have left Intel couple of years ago, that's exactly what passwords were used for. It was pretty annoying to try to send files and putting them in encrypted archive wast the most convenient method.

It was not just for binaries but for scripts, html, etc.

[ccurrens]

That's an excellent point I wouldn't have considered. I have no intention of looking at the dump anyway, but thanks for the warning.

[1-6]

I think the proper term is Honeypotting.

[MrStonedOne]

Commonly password protected zips are used to bypass security systems that block all zips with exes in them.

I doubt the encryption was believed to be a security barrier.

[at-fates-hands]

I was an admin for a medium sized company and handled their websites. Almost all of them (about a dozen or so) were hosted on Go Daddy. Plus they had about two dozen reserved domains they were sitting on like www.yourcompanysucks.com and others.

I left the company 5 years ago. Just checked the login to see if it still worked.

Yeap.

Any disgruntled employee could change the password, lock them out of all of their sites (including several e-commerce sites that amount for a large chunk of revenue) and then if they really wanted to, delete all of them.

I remember talking the main network guy about any backups when a lot of the ransomware stuff was making the rounds. The big, really big stuff on their network (mostly ERP stuff) was backed up in two or three places. Their web stuff? Yeah. . . NOPE.

Pretty scary how lazy people are about stuff like that.

[netsharc]

I wonder if a malware should just grep for "pw:" or "password:" and then try the string it finds against anything encrypted. Or forward it to the control center.

Also the contents of files like password[s].txt

[TeeMassive]

I worked for a company that made servers. In the on board management system's source code I remember seeing "base64 encryption". I think they removed it by the time I left, but still.

[dandare]

A company I know insists on rotating passwords fairly often. Everybody just increases the number at the end of their favourite password, i. e. intel1255

[kps]

I once worked at a place that required passwords to be changed every month and contain at least one upper and lower case letter, digit, and punctuation, and not match any previous password.

So the password for August, 2020 would be “August, 2020”.

[SturgeonsLaw]

This is super common, to the point where Microsoft used a similar password scheme as an example when talking about password spraying attacks at an RSA conference presentation

https://www.zdnet.com/article/microsoft-99-9-of-compromised-...

It's why I'm advocating within my organisation to get rid of password expiration and enforce 2FA for clients, but there's a lot of inertia to push against with some of them. At least uptake of 2FA is consistently increasing.

[kube-system]

If you need backup, NIST standards agree with you.

Scheduled password expiration weakens security by encouraging users to make predictable passwords, and by entrenching password resets as a routine and unscrutinized process.

[CapricornNoble]

Many DoD websites are the same. It's so annoying. I use a password manager at home but at work I don't have that luxury (installable software is tightly controlled and very limited).

[Sylamore]

Where I work they use a password filter to stop you from doing that...

But it doesn't stop you from spelling out the numbers instead, plus that makes your PW longer

[benhurmarcel]

In my experience this is pretty standard across the industry.

[astura]

I use the month and year instead

[dleslie]

Also, the passwords are listed in docs that appear to be alongside the encrypted files. That's a bit like leaving the keys to your house _on top_ of your front doormat.

[danudey]

It's kinda like hiring a security guard for insurance purposes, even though they have strict instructions to never do anything, under any circumstances, other than call emergency services.

[Nasrudith]

To be fair having someone aware and around to watch and phone emergency services has a use.

[reaperducer]

It's kinda like hiring a security guard for insurance purposes, even though they have strict instructions to never do anything, under any circumstances, other than call emergency services.

I see you've worked in retail.

[cbanek]

The shared stupid passwords like this that I've seen/had to use in my career would utterly shock you. Like hunter2 levels of shock.

[david_draco]

  > Like ******* levels of shock.

What do you mean with 7 star levels?

[astura]

This joke never gets old

[yvdriess]

The people that get bash.org jokes in contrast... :)

[dasb]

No one who knows what they're doing uses zip passwords as security. The passwords are probably there for other reasons.

[de6u99er]

Another password is "I accept" (based on the leakers Twitter messages).

[loktarogar]

at my first job they used a similar password as their go-to "temporary" password for users etc. I found later when I got to work with the users that they rarely changed this password even when "forced" to, and in many cases had it up on post-its next to their monitor.

[reaperducer]

and in many cases had it up on post-its next to their monitor.

These days a post it is probably the best way to secure your password.

99.9999999% of password hacks come over the wire now, from people in other cities, states, or nations. If someone is in your building, in front of the computer, even without the post-it, you're probably toast.

[loktarogar]

A post-it is not a good way to secure your office's generic temporary password.

[reaperducer]

Another large tech company I used to work for commonly used an only-slightly more complex password

I know a brand-name healthcare company that uses Passw0rd for its internal WiFi, which is easily reachable from an interstate rest area.

[tomrod]

I knew one company who used the same password for bios as wifi.

[jyriand]

Some people/companies think that if you are behind VPN you can use simple and obvious passwords.