• invalidusernamelol [he/him]@hexbear.net
    link
    fedilink
    English
    arrow-up
    13
    ·
    10 days ago

    Requiring rotating key/authenticator access for remote work and allowing users to come up with a solid terminal password on local access is pretty good.

    That way all local connections can be verified and remote logins have the extra security layer.

    That being said, if a priveleged user manages to compromise their local work machine it’s all fucked.

    • Deadend [he/him]@hexbear.net
      link
      fedilink
      English
      arrow-up
      2
      ·
      7 days ago

      That’s where security experts who are checking for things to go bad come in.

      Making everyone a security expert + doing their job is some uphill ice skating.

      • invalidusernamelol [he/him]@hexbear.net
        link
        fedilink
        English
        arrow-up
        2
        ·
        7 days ago

        A good bet it to open a dummy ssh port that no one should ever connect to, then immediately add any ip that tries to connect to it to a blacklist.

        At the end of the day every security measure can be bypassed, you just need to be prepared for that inevitability.

        • Deadend [he/him]@hexbear.net
          link
          fedilink
          English
          arrow-up
          2
          ·
          7 days ago

          Locks are based on time/difficulty/detectability in the real world. The goal is “can’t to break in without getting caught”

          It’s all a balance between risk/security and actually being useful.