undefined | Better HN

0 pointspiva009y ago0 comments

You have already pwned the machine, what disabling history is gonna do to save someone's ass after that?

The hassle of not having a history file every day is a much bigger cost than having it on an already pwned machine, isn't it?

Stop being an ass, that's why most people don't listen to security experts, instead of educating people in a kind way and making the world more secure most of you like to live on your high ivory towers with snark comments, passive-aggressiveness doesn't help anyone or any discourse.

Please, learn some social skills.

0 comments

7 comments · 3 top-level

oogali9y ago· 4 in thread

I guess you've never typed a password into the command line by accident? (sudo apt-get install<forget to hit enter>hunter2)

Or passed in a password as an argument to any programs? (e.g. mysql -uusername -ppassword -hprod.db.com)

Plus, if the commands are important as they appear to be (with the need to be referenced days or weeks later), assuming they don't contain passwords, why not put them into a protected team wiki (or a private Github Gist)?

As an attacker, your goal is to get the most amount of privilege and credentials in a brief amount of time without being detected while it's happening. So you grab .bash_history, .bashrc, .bash_profile, .aws/credentials, .ssh/config, .ssh/id_*, .ssh/known_hosts, .pgpass, .psql_history, .mysql_history, .gitconfig, and then get out before a second has even elasped.

As a target, your goal is to limit the blast radius as much as possible, and by following certain practices, if/when you are compromised you can accurately state what the attackers could or could not have had access to.

This isn't about being 100% hackproof, it's about limiting the damage when you are hacked.

ageofwant9y ago

As a team member with promises to keep my only goals are getting my job done and meeting my KPI's. I cannot afford to not have bash history or any other history. And I certainly don't have time to do the securistatsi's job for them.

If a server is 'compromised' I delete it from the stack, spin up another and provision it all within 60's. The goal is not preventing being hacked, its being in a position where it does not matter.

web0079y ago

Meeting your KPIs has to happen within the InfoSec framework of your company. The "securistatsi" exist for a reason - not to slow you down, but to protect the company from you. If your only goal is hitting your target then _someone_ has to make sure you're not doing it the wrong way, as you clearly don't care - full speed ahead, security be damned.

If your server is compromised, you shouldn't be back in business in 60s. You need to rotate EVERY secret on that instance and everything it connected to. Your main database that coordinates 50 servers? One of the 50 gets compromised, you need to change the pw on all 50. That should include 3rd party API keys and other fun stuff too.

And PS all of that needs to happen _after_ you find out how they got in.

sergiosgc9y ago

> I guess you've never typed a password into the command line by accident? (sudo apt-get install<forget to hit enter>hunter2) > Or passed in a password as an argument to any programs? (e.g. mysql -uusername -ppassword -hprod.db.com)

Of course. Promptly followed by export HISTFILE=

gknoy9y ago

> export HISTFILE=

Thank you! I didn't realize I could do that (:

reitanqild9y ago

Attempted to make a shorter version that says most of the important points:

You have already pwned the machine, what disabling history is gonna do to save someone's ass after that?

The hassle of not having a history file every day is a much bigger cost than having it on an already pwned machine, isn't it?

This is why most people don't listen to security experts, instead of educating people in a kind way and making the world more secure most of you like to just point out how bad we are.

noja9y ago

Speed.

With the history file already there, you don't have to wait for it to populate.

j / k navigate · click thread line to collapse