45

The company i work for has a jenkins server (for people that don't know jenkins, it's an automated build service that gets the latest git updates, pulls them and then builds, tests and deploys it)

Because it builds the software, people were scared to update it so we were running version 1.x for a long time, even when an exploit was found... Ooh boy did they learn from that...

The jenkins server had a hidden crypto miner running for about 5 days...

I don't know why we don't have detectors for that stuff... (like cpu load being high for 15 minutes)

I even tried to strengthen our security... You know basic stuff LIKE NOT SAVING PASSWORDS TO A GOOGLE SPREADSHEET! 😠

But they shoved it asside because they didn't have time... I tried multiple times but in the end i just gave up...

Comments
  • 18
    Lost it at Google Spreadsheet. WTF. 😨
  • 7
    @incognito @nin0x03 out of curiosity, where do you manage (or recommend managing) your team passwords?

    That has been one of the discussions we had in work sometime ago.
  • 4
    @ivoecpereira most would say LastPass but I do not like their platform and would recommend you to look at the top 10 password managers, look at their history and if you can trust them

    Personally i use Keepass because then i am in control of the data, for teams i don't know, maybe Dashlane? Or else just LastPass i mean, everything is better than spreadsheets
  • 3
    @incognito oh man. I use the same exact setup as you, but for personal use!

    Using Keepass2Android to keep them in sync makes the magic.

    However for teams I am not so sure on what should be used. Wished there was a specific password manager for teams - preferentially open source.
  • 4
    @ivoecpereira I wanted to keep it secret, but I am creating an open source password manager for teams. The project has fallen silent for quite some time, maybe when my personal life isn't shitty anymore I'll continue it.
  • 1
    @incognito seems awesome! I feel sorry for your life not going so well atm, but better days will come man. Lmk once you have further updates on it.

    Seems like an awesome project.
  • 1
    @ivoecpereira thanks for the kind words, I will notify you once it's available
  • 0
  • 4
    The same thing happened at my company, the jenkins crypto-miner part. But no, even we weren't foolish enough to save our passwords in google spreadsheets.
  • 1
    Btw, I've just seen passbolt. Anyone has already used it before? Or any other alternatives?
  • 1
    @ivoecpereira passbolt is premature software (it is still in alpha phase)

    they even state on the site

    "Currently passbolt is in “alpha”, which means it is not yet a completely finished product. While we encourage you to try it out, the answer to whether you should store critical information with it depends on your security level requirements."

    naturally I advice against it, but it is your choice.
  • 1
    @incognito As I know you IRL, I can very much imagine your reaction when you found out about this one xD
  • 3
    @ivoecpereira I am not on a SW team atm, but good question.
    My first idea would've been a shared keepassx-file.
Add Comment