this post was submitted on 19 Jul 2024
177 points (98.4% liked)
Asklemmy
43897 readers
943 users here now
A loosely moderated place to ask open-ended questions
Search asklemmy ๐
If your post meets the following criteria, it's welcome here!
- Open-ended question
- Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
- Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
- Not ad nauseam inducing: please make sure it is a question that would be new to most members
- An actual topic of discussion
Looking for support?
Looking for a community?
- Lemmyverse: community search
- sub.rehab: maps old subreddits to fediverse options, marks official as such
- [email protected]: a community for finding communities
~Icon~ ~by~ ~@Double_[email protected]~
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I have posted about this before. I'm pretty sure I win.
I'm not going to name names. I worked for a company, three of their clients include the United States Air Force, the United States army, and the United States Navy. They also have a few thousand other clients, private sector, public, and otherwise. Other nation states services as well.
I worked for this company quite recently, which should make what I'm about to tell you all the more alarming. I worked for them in 2021.
Their databases were ProgressABL. I linked it because if you're younger than me, there's a slim chance in hell you've ever heard of it. I hadn't. And I'm nearing 40.
Their front end was a bunch of copy/pasted JavaScript, horribly obfuscated with no documentation and no comments. Doing way more than is required.
They forced clients to run windows 7, an old version of IE, all clients linked together, to us, in the most hilariously insecure 1990s-ass way imaginable, through tomcat instances running on iis on all their clients machines.
They used a wildcard SSL for all of their clients to transact all information.
That SSL was stored on our local FTP server. We had ports forwarded to the internet at large.
The password for that ftp server was 100% on lists. It was rotated, but all of the were simple as fuck.
I mean, "Spring2021". Literally. And behind that? The key to deobfuscate all traffic for all of our clients!!
The worst part was that we offered clients websites, and that's what I worked on. I had to email people to have them move photos to specific directories to get them to stop failing to load, because I didn't have clearance to the servers where we stored our clients photos.
We had legit secure servers. We used them for photos. We left the keys to the fucking city in the prize room of a maze a 12 year old could solve.
Holy shit.
glances at my home server setup nervously
Lol you can totally do it in a home server application. It's even okay if I'm a e-commerce store to use wildcard for example.com and shop.example.com. not a best practice, but not idiotic.
Not idiotic unless you also have a hq.example.com that forwards a port into your internal network...
...where ftp://hq.example.com takes you to an insecure password shield, and behind it is the SSL certificate, just chillin for anyone to snag and use as a key to deobfuscate all that SSL traffic, going across your network, your shop, your whole domain.
oh... oh no
Well now I feel better thanks hahaha
I worked with Progress via an ERP that had been untouched and unsupported for almost 20 years. Damn easy to break stuff, more footguns than SQL somehow
Yikes man, so much to unpack here.