Mastodawn

Looks like today's theme is

@cR0w I read this as... don't patch

@kajer @cR0w weird, just about every company I've ever worked for has interpreted it identically.

@rootwyrm @cR0w Someone has to have the voice of corp-tech.

If I can't patch... invalid way to address the problem, because conditions will apply.

If i never patch, then there are no conditions, and we're still running prod! WOO!

@kajer @cR0w most shops, the excuse is "it's stable! We shouldn't patch it might introduce problems."

And that's how your extremely critical Internet facing infrastructure is running Docker containers from 2018 that have been abandoned upstream.

cR0w

@rootwyrm @kajer blows dust off SCADA HMI keyboard for host with more uptime than a lot of fedi users

@cR0w @rootwyrm DO NOT UNPLUG

if you pull the PS/2 keyboard, the driver will unload and will not reload until next boot, which is

checks notes

never.

@kajer @cR0w fun related fact: I know of a very large institution which runs their own Certificate Authority.

This CA is basically openssl on a fully air-gapped laptop.
That laptop in 2021 was running RHEL4. Because it was *COMPLETELY* airgapped. No network. Only one USB port not filled with epoxy. Kept in a safe.
And this was deemed safe and secure because it was completely and totally airgapped.

@rootwyrm @cR0w that sounds delightfully 90s... but... how does one do cert issues? or verification of the full chain?

I only have questions

ducksauz 🦆5d ago

@kajer @rootwyrm @cR0w

This must have been the internal root CA. I know, because I used to run the internal root at a previous job. The workflow looked like this:

* get root CA from safe
* generate CSR on new issuing CA, copy to new flash drive
* plug flash drive into root CA, issue cert, copy to flash drive
* plug flash drive back into online machine, copy cert to issuing CA
* put root CA back in safe

There was a similar process for issuing the root CA's CRL every month

@ducksauz @kajer @cR0w yep, exactly that! There were actually *multiple* internal Root CAs.
The part that always made me giggle is that incomprehensibly, one of those internal roots was used with *HSMs*.

ducksauz 🦆5d ago

@rootwyrm @kajer @cR0w

HSMs in plural? My root had an HSM card in it (it was a desktop).

Though, I could see maybe having redundant USB attached HSMs and encrypting the root's PrivKey to KEKs stored in each HSM.

@ducksauz @kajer @cR0w HSMs very, VERY, *VERY* plural.

I was not directly involved, but my understanding was that they used the offline root CA as part of the authentication system to ensure they had not somehow wandered off the network.
These kind of HSMs.

@rootwyrm @ducksauz @cR0w $previous_job - We had HSMs in AWS and paid a VERY pretty penny to keep those legacy as fuck machines running until we found something better... (we didnt by the time covid layoff happened)

@kajer @ducksauz @cR0w you really, really have to be an absolute idiot to pay for "cloud" HSMs, honestly. They are INSANELY expensive to say the very least, and it is completely impossible for them to actually be secure.
It just is. PHYSICAL inspection and PHYSICAL tamper indicators are a non-optional part of it.

Meanwhile a Thales Luna 7 hardware HSM at the very tippy top end (max perf, 5 partitions, ent support) costs less than half that.
For 3 years.