| *** nowen (~nowen@adsl-74-176-212-133.asm.bellsouth.net) has joined #wikid | 13:49 | |
| *** laszlof (~laszlof@wookie.tvog.net) has joined #wikid | 21:42 | |
| laszlof | Hey nick, saw your message on linkedin | 21:42 |
|---|---|---|
| nowen | hey | 21:42 |
| nowen | how's it going? | 21:42 |
| laszlof | pretty well, I resigned from ASO at the end of last year | 21:42 |
| nowen | i figured | 21:42 |
| laszlof | been running my own development company since then, doing pretty well. | 21:43 |
| nowen | nice | 21:43 |
| laszlof | I was getting more and more micro-management over me at ASO, was starting to get annoying | 21:44 |
| nowen | what kind of stuff are you doing? | 21:44 |
| nowen | sounds like you should be an entrepreneur ;) | 21:44 |
| laszlof | indeed. | 21:44 |
| laszlof | Mostly PHP development, a do a lot of WHMCS based stuff these days | 21:44 |
| laszlof | along with some larger projects with a atlanta based lending company | 21:45 |
| nowen | is WHMCS very popular? | 21:45 |
| laszlof | probably one of the most popular billing platforms for web hosts | 21:45 |
| nowen | php-based? | 21:45 |
| laszlof | yes | 21:45 |
| laszlof | I've done quite a few sites that have absolutely no web hosting products as well, with WHMCS in the backend | 21:46 |
| laszlof | its very customizable | 21:46 |
| laszlof | and even though its encoded, its very developer friendly | 21:46 |
| laszlof | lots of hooks and a pretty good API | 21:46 |
| nowen | cool | 21:47 |
| nowen | atlanta-based customers or all over? | 21:47 |
| laszlof | world-wide | 21:47 |
| laszlof | i think I only have 1 customer I work with thats atlanta based. | 21:47 |
| nowen | yeah, that internet thing might just work out | 21:47 |
| laszlof | most of them are in europe, australia, etc. | 21:47 |
| nowen | did you see the linode news? | 21:48 |
| laszlof | no? | 21:48 |
| laszlof | wow | 21:49 |
| nowen | http://bitcoinmedia.com/compromised-linode-coins-stolen-from-slush-faucet-and-others/ | 21:49 |
| laszlof | yeah, reading now on theregister | 21:49 |
| laszlof | I'm skeptical on the scope of the attack | 21:51 |
| laszlof | they seem to indicate it was targetted at only 8 clients. I find that highly unlikely | 21:51 |
| nowen | yeah, why stop there? | 21:51 |
| laszlof | "All activity by the intruder was limited to a total of eight customers, all of which had references to "bitcoin". The intruder proceeded to compromise those Linode Manager accounts," | 21:52 |
| laszlof | "The portal does not have access to credit card information or Linode Manager user passwords." | 21:52 |
| laszlof | so they were able to gain access to the customers manager accounts | 21:53 |
| laszlof | but the portal doesnt contain that info | 21:53 |
| laszlof | ... | 21:53 |
| laszlof | they better be damn sure no credit card data was accessible by the breach. Failing to notify visa of an intrusion is grounds for massive fines and revokation of any merchant accounts | 21:54 |
| nowen | yep | 21:54 |
| laszlof | I think its like, $50K per card, or something like that | 21:54 |
| laszlof | its a lot. | 21:54 |
| laszlof | some reports say $70K, another one I'm reading says $228K | 21:56 |
| nowen | ouch | 21:58 |
| nowen | yeah, so I thought about ASO today when I saw that | 21:59 |
| laszlof | yeah, we've been there. Fortunately the card data was never stolen | 22:00 |
| laszlof | At least not that we knew about. | 22:00 |
| laszlof | they're using a VPN and 2 factor on everything now. it would be nearly impossible for someone to hack it. | 22:01 |
| nowen | are the customer service reps using 2FA? | 22:02 |
| laszlof | yes | 22:02 |
| laszlof | everything is restricted to the VPN IP address. | 22:02 |
| laszlof | which requires 2FA | 22:02 |
| laszlof | plus, the billing login as well as several other key systems use 2FA as well | 22:02 |
| laszlof | you'd have to crack the 2 factor on the VPN, then do the same for any system you're trying to get into | 22:02 |
| laszlof | and only a few people have access to the DB server that hosts the billing data | 22:03 |
| laszlof | that requires being on the VPN, SSHing to a specific "central" server, and then ssh'ing to the DB box. none of which use static passwords. its either 2 factor or ssh keys | 22:04 |
| laszlof | before I left I was implementing required password changes ever 60 days | 22:04 |
| laszlof | for anything that required a static password | 22:04 |
| laszlof | like email, etc. | 22:04 |
| laszlof | even root passwords on all the servers are rotated every X amount of hours | 22:05 |
| nowen | hmm - seems like requiring 2fa would easier for some of that | 22:05 |
| laszlof | not possible | 22:06 |
| laszlof | cpanel doesnt support 2 factor (yet) | 22:06 |
| nowen | ugh, that's right | 22:06 |
| laszlof | thats pretty much the only reason for root passwords in the first place | 22:06 |
| laszlof | everything else is done with keys | 22:07 |
| nowen | yeah. you could put 2fa on sudo | 22:07 |
| laszlof | thats probably a bit overkill. We just have a script setup on our "central" servers that lets specific user accounts ssh to the shared servers as root | 22:08 |
| laszlof | and everything from there is logged | 22:08 |
| laszlof | remotely logged, even :) | 22:08 |
| laszlof | after the last breakin, I built a syslog server to store everything | 22:08 |
| laszlof | I'm not sure what they're doing now. I was pretty much the only one who gave 2 shits about security | 22:09 |
| laszlof | even though I was a developer, I was doing the job of our CTO a lot of the time | 22:09 |
| laszlof | mmm. think I'm going to make bacon wrapped pork tenderloin medallions tonight | 22:11 |
| nowen | damn, that sounds good | 22:14 |
| laszlof | i made some a few weeks ago, they were awesome | 22:14 |
| nowen | entrepreneuring must agree w/ you :) | 22:14 |
| laszlof | I'm doing much better than I expected. :) | 22:15 |
| laszlof | it pretty much blew up once I got my business up and running | 22:16 |
| nowen | good stuff | 22:17 |
| nowen | we're expecting a couple of big deals to close soon. will be nice | 22:17 |
| laszlof | even been doing some mobile app development, HTML5/CSS3/javascript | 22:18 |
| nowen | interesting | 22:22 |
| nowen | if you figure out a way to better store private keys, let me know. I think our html5 token gets wiped when the cache is cleared | 22:23 |
| laszlof | only 2 methods | 22:24 |
| laszlof | localstorage and whatever that sql thing is they have | 22:24 |
| nowen | is there a potential for a WHMCS/WiKID tie in? | 22:24 |
| laszlof | I dont think you can store on the filesystem unless you use a native app | 22:25 |
| nowen | yeah, too bad | 22:25 |
| laszlof | nah, this was for a medical company | 22:25 |
| laszlof | a data entry app for their nurses that sync's data to quickbase | 22:25 |
| nowen | ok - time for me to head home | 22:45 |
| nowen | stay in touch laszlof! | 22:46 |
| laszlof | will do | 22:46 |
| nowen | later! | 22:46 |
| *** nowen has quit (Quit: Leaving.) | 22:47 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!