SwiftOnSecurityJan 14, 2023

Note that OneDrive is actually pretty good now. (Yes, it was fucking garbage, I lived it every day, I know.) If your org is having consistent problems:

- Install OneDrive machine-wide with the installer switch, get binaries and maintenance tasks out of user profile
- Check your registry for weird old GroupPolicy still being applied
- Review and apply latest GroupPolicy settings
- If you use a proxy, make sure you're on latest vendor recommended exclusions. Call them and ask for a health check. We just did one and it found issues with our O365 settings.

We have largely moved users to OneDrive for business content and also selectively doing Desktop/Documents backup.

Show threadSwiftOnSecurity
If your company uses Office365, your most important ransomware insurance is getting your user files on OneDrive. And it can transparently backup Desktop/Documents now, users don't need to put stuff in OneDrive manually if you manage the setting with GroupPolicy.
Jan 14, 2023 at 12:06amWeb
Show threadSwiftOnSecurityJan 14, 2023
Enterprise Security is Operational Excellence. If you can't even recover from non-malicious stuff like SSD crashes, you absolutely positively are going to get wrecked by ransomware. And you're wasting IT staff time on routine garbage instead of actual resilience engineering.
Show threadSwiftOnSecurityJan 14, 2023
If you can't rebuild a dead machine in ~40 minutes with full data migration, you're going to be in a world of hurt either by hackers or an IT screwup. I've lived both of these lives, Helpdesk and Cyber. It's the same freaking continuum and it feels like I yell my throat raw trying to get people to realize this. If your user experience sucks you're not ready.
Show threadSwiftOnSecurityJan 14, 2023

The reason I went from Helpdesk Engineer to Security Engineer is because a lot of it is a subset skillset, if you're trying to build truly resilient systems and ensure nobody fucking calls you with their problem because the issues never happened in the first place, because you designed for the worst possible scenario.

I didn't learn most of this stuff because I was responsible for Security. I learned because it was my job to clean it up, either per-machine or a whole-network compromise. And I really didn't want to do that.

Show threadHot Mess ExpressJan 14, 2023
@SwiftOnSecurity I'm a big fan of OneDrive for a lot of these reasons. Wish we could use it for more of our systems, but a lot of them are setup for local accounts that are used by multiple users.
I don't suppose you have any OneDrive magic for those sort of setups? 😮
Show threadrthonpmJan 14, 2023
@severedaffect @SwiftOnSecurity I've got similar situations with SPE not bound to AD or connected to the internet. Onsite file servers still come in handy, and Documents directory can be redirected to a mapped drive even on older operating systems.
Show threadPtisanJan 14, 2023

@SwiftOnSecurity I hate to say this, but when people ask me about my work experience, I describe it as the SoS path to security. 4-5 years doing helpdesk and desktop support, lateral movement to the security team and working my way up there.

My formal education is in Architechture (non-IT) and business systems, so my path has been all on-the-job learning. I forever felt doomed to sysadmin work but the original SoS memes gave me hope!

Show threadNerd That Talks GoodJan 14, 2023

@Ptisan @SwiftOnSecurity No kidding. theater > video game support > video game tester > enterprise help desk > SOC/NOC > server admin > compliance analyst > policy/comms > cyber product evangelism > cyber marketing (basically in theater again).

The path is long and twisted.

Show threadJohn BreenJan 14, 2023
@SwiftOnSecurity FWIW, as an engineer, IT teams in some orgs take little time to understand what the engineers/devops guys are doing, need to do - they are just there to say "no" or "wait until we officially support it next year". I once burned a CD, took it home, and uploaded it via FTP because IT had blocked ST MicroElectronics site as "non-business related". We learn to go around them when they get in the way, rather than ask for help...and that's not good.
Show threadNerd That Talks GoodJan 14, 2023
@SwiftOnSecurity The “this shit is broke!” to “how can I fix shit?” pipeline is real.
Show threadDaniel Betz  Jan 14, 2023
@SwiftOnSecurity yep my path as well. Help desk->sys/net admin->sec engineer. You learn real quick to assume it’s going to break and come up with how you’d fix it if it did. I have a bunch of automation ready for scenario’s such as the asr debacle today. Not affected, but could have recovered quickly. Bad AV sigs are what keep me up at night. So I plan for it, and have abilities beyond the vendors consoles to disable/remove/etc their product en masse.
Show threadAndrew BuckoJan 14, 2023
@SwiftOnSecurity Also listen to your front-line employees — whether the customers are internal or external. They’re typically the only touchpoint the company has.
Show threadJason Elrod  Jan 14, 2023
@SwiftOnSecurity I 100% am of the mind that service / help desk is the first line of defense in cybersecurity. Not only do you get to see the types of issues and fixes that are common for your environment, you are often the first to notice when things are a bit ‘off’. Service desk is a great source of threat intelligence for an org that is all too often overlooked.
Show threadWendy NatherJan 14, 2023
@jasonelrod @SwiftOnSecurity 1000%. The best thing is when someone comes into my office, shuts the door, and says, “I think there’s something you ought to know.”
Show threadPhilip Mallegol-HansenJan 14, 2023
@jasonelrod Second line of defense. The first one is end users well educated about the common risks and patterns of cyber threats.
Show threadmhoyeJan 14, 2023
@philip @jasonelrod of people don’t trust and love your helpdeskies, that second critical conversation doesn’t happen.
Show threadMike ElyJan 14, 2023

@jasonelrod @SwiftOnSecurity also useful when moving to operations as well. Having a foundational rather than theoretical understanding of vulns, exploits, and user behavior informs good decision-making more or less daily.

It's for this reason I lurk in the tech support channel in our org. They are very often the canary in the coal mine.

Show threadMike ElyJan 14, 2023
@jasonelrod @SwiftOnSecurity also... as well... argh. Fried-day has assaulted the part of my brain that grammars rightly. Cheers!
Show threadJason Elrod  Jan 14, 2023
@me @SwiftOnSecurity Way back in the day, I would sometimes stop by the helpdesk on the weekend, sit at a desk, and jump in the queue with the team and take calls alongside them for while. I was easily the worst one on the shift, but some of the best opportunities and ideas for improvement across stability, scalability, security, and supportability came from those weekend visits.
Show threadFlintJan 14, 2023
@me @jasonelrod @SwiftOnSecurity the number of production level issues I've identified from a single overlooked customer support email...
Show threadNerd That Talks GoodJan 14, 2023
@jasonelrod @SwiftOnSecurity help desk made me the man I am today. And I can never forgive that.
Show threadDavid D. LevineJan 14, 2023
@SwiftOnSecurity That's how I went from Technical Writer to Software Engineer to UX Designer. I wanted to fix or prevent UI problems instead of documenting the workarounds.
Show threadhacknsecJan 14, 2023
@SwiftOnSecurity Amen!
Show threadgh0sti Jan 14, 2023
@SwiftOnSecurity what helps is we still have network shares but I am getting different departments to migrate to sharepoint/one drive.
Show threadKevin Karhan Jan 14, 2023
@SwiftOnSecurity that's why I literally documented the backend for a payment processor so it can be setup from scratch within less than 15 minutes by literal #TechIlliterates following the instructions word-by-word.
Show threadPhilip Mallegol-HansenJan 14, 2023
@SwiftOnSecurity I should put my IDE configs in source control… That’s probably the only reason I couldn’t rebuild my environment on a new device quickly 😂
Show threadAliSnarkbarJan 14, 2023
@SwiftOnSecurity It’s RAW!!!!
Show threadEric MainoJan 14, 2023
@SwiftOnSecurity reminds me of days I’d find ways to keep my father away from his computer as I was rebuilding it.
Show threadHenry Edward HardyJan 14, 2023

When I worked at One Laptop per Child, each machine had a wiki page w/ a complete, step-by-step rebuild for hardware & configuration & software from scratch.

At Tufts, we could and did flip data centers with all, literally everything everything, with < 1.5 seconds interruption in service.

At Tufts we had the "two H-Bomb rule" no loss of service unless someone dropped an H-Bomb on two data centers of ours or two top-level exchanges.

Then be back up in one day.

@SwiftOnSecurity

Show threadDavid CostaJan 14, 2023
@SwiftOnSecurity I received this notification from Twitter too. 😄
Show threadDoctor MemoryJan 14, 2023
@SwiftOnSecurity so uh fair warning: there’s an as yet unresolved bug in OneDrive for MacOS wherein it will sometimes randomly overwrite your files with an equal number of NULL bytes. Ask me how I found this out!
Show threadSwiftOnSecurityJan 14, 2023
@memory oof
Show threadKyozouJan 14, 2023
@memory @SwiftOnSecurity Can you provide more info, please?
Show threadDoctor MemoryJan 14, 2023

@kyozou @SwiftOnSecurity it’s been about a year since I lost my mind over this and I never found any sort of root cause or even a summary page but you can find trades of the issue in a few places eg:

https://answers.microsoft.com/en-us/msoffice/forum/all/onedrive-corrupted-files/181006dd-6c36-483a-aca3-a2b8308f971a

https://superuser.com/questions/1320371/recover-deleted-files-resulting-in-null-only-values

Redirecting

Show threadKyozouJan 14, 2023
@SwiftOnSecurity @memory thanks! I just migrated a bunch of stuff to OneDrive in process of switching from windows to Mac.
Show threadDaniel Betz  Jan 14, 2023
@[email protected] @SwiftOnSecurity I’m asking as both a macOS user and onedrive user. My more important stuff is in the vault but still.
Show threadDoctor MemoryJan 14, 2023
@Filimentation https://answers.microsoft.com/en-us/msoffice/forum/all/onedrive-corrupted-files/181006dd-6c36-483a-aca3-a2b8308f971a — I never saw any official acknowledgement of this bug from MSFT, so I definitely recommend multiple backup strategies.
Redirecting

Show threadMatt SwannJan 14, 2023
@memory the product team would like to learn more about this issue - would you be willing to share? You can reach me at [email protected]. Thanks!
Show threadIrkamJan 14, 2023
@SwiftOnSecurity and yet orgs are moving to Google Workspace. Fuck those orgs.
Show threadDaniel Betz  Jan 14, 2023
@SwiftOnSecurity you can get this with personal premium as well. Then map your desktop, music, pics, etc to the onedrive folder. Also you get a vault with mfa.
Show threadSleeplessoneJan 14, 2023
@Filimentation @SwiftOnSecurity As someone who pays for business O365 to use with my own domain I wish there was a way to use the personal vault or a way to unlock storage/features on the personal account by linking the business one to it.
Show threadmctsonicJan 14, 2023
@SwiftOnSecurity there are certainly some business verticals where OneDrive is not ideal.
Show threadTryst 🏴󠁧󠁢󠁷󠁬󠁳󠁿 🇮🇪  Jan 14, 2023
@SwiftOnSecurity We do this because, combined with full-disk encryption, it's fabulous insurance against lost and stolen laptops
Show threadMatt WatersJan 14, 2023
@SwiftOnSecurity At least for Google Workspace at a very small company, I never really felt comfortable with techniques to prevent total account deletion. That may be fairly unlikely, but it's a possibility.
Show threadseismo!allegra!utzooJan 14, 2023
@SwiftOnSecurity agreed. It's freaking magic, as a user. And your "recent files" syncs to your tablet as well.
Show threadFreakusJan 14, 2023
@SwiftOnSecurity I don't think there's anything transparent about how it picks up and moves your entire documents/desktop folders into the onedrive folder without even warning you that's how it'll do things when you turn it on.
Better hope you didn't have anything that uses fixed file paths stored there or it's now busted!