| ▲ | JonChesterfield 8 hours ago |
| So gain access to a machine that can ask microsoft intune to eviscerate the company, ask it to do so, done. Bit of a shame all the machines had that installed really. Reminds me of crowdstrike. |
|
| ▲ | shiroiuma 6 hours ago | parent | next [-] |
| The company should have known better than to trust their IT infrastructure to Microslop. This is their own fault. |
| |
| ▲ | Xylakant 6 hours ago | parent | next [-] | | My 95% bet is that the attacker just gained access to an account with suitable privileges and then went on to use existing automation. The fact that it’s intune is largely irrelevant - I’m not aware of any safeguards that any provider would implemen. So the options here are MDM or no MDM and that’s a hard choice. No MDM means that you have to trust all people to get things as basic as FDE or a sane password policy right. No option to wipe or lock lost devices. No option to unlock devices where people forgot their password. Using an MDM means having a privileged attack vector into all machines. | | |
| ▲ | neo_doom 3 hours ago | parent [-] | | No MDM just isn’t an option for most enterprises but ideally the keys to the kingdom are properly secured. | | |
| ▲ | mulmen 2 hours ago | parent [-] | | How does that look exactly? Someone has to be able to use MDM to manage devices or there’s no point in having it. This scenario is firmly in rubber hose/crescent wrench cryptanalysis territory. Can updates have delays with approval gates built in? Does MDM need a break glass capability? |
|
| |
| ▲ | heraldgeezer 4 hours ago | parent | prev [-] | | What alternative to Intune and, hell, the entire Office 365 suite that it is in, do you have? Gsuite + Slack I guess. lmao. As if that is better. Looking forward to your reply. | | |
| ▲ | pjc50 an hour ago | parent | next [-] | | All the Linux kernel development work is organized around a mailing list, and some private IRC chats for the core people. It's the technology of the nineties but it works for them. A lot of corporate stuff seems to be much worse than even a random vibe coded web app. I have to book holiday through something called "HR Connect", watching pages load laboriously and redirect every login through several very long URLs. Slowly. | | |
| ▲ | heraldgeezer an hour ago | parent [-] | | Yes, the Linux kernel people can be trusted to manage their own machines. Random corp employees cannot. Also corp machines are corp property, not the employees own. If you have 1000 or 10,000 machines you need to manage them. Full stop. Yes, many corporate websites are bad. Like ERP or HR systems. None of that has to do with device management, RMMs/MDMs or Intune. |
| |
| ▲ | JonChesterfield 3 hours ago | parent | prev [-] | | Well, all the machines in the current outfit are Linux as far as I know. Services are self hosted. Seems to be fine, teams et al run adequately in a browser for talking to people on other stacks. Previous place had a corporate controlled windows laptop that made a very poor thin client for accessing dev machines. One before that had a somewhat centrally managed macbook that made a very poor thin client for accessing dev machines. You don't have to soul bond to Microsoft to get things done. | | |
| ▲ | Ekaros 3 hours ago | parent | next [-] | | I don't see how Linux would prevent anything if company wants similar controls on their machines. Like tracking update status, forcing updates when needed, potentially wiping entire device when stolen and so on. Fault really is not the OS but the control corporate wants over their devices. And it does make some sense. | | |
| ▲ | pjc50 an hour ago | parent [-] | | Indeed. You'd expect a corporate IT system to be able to ssh as root into all their devices. And the cloud is even worse: if you get hold of the right IAM role, you can simply delete everything! That does usually get locked behind proper 2FA, but it's not impossible to phish even experienced admins once in a while. |
| |
| ▲ | heraldgeezer an hour ago | parent | prev [-] | | That is all well and good but how do you: - Ensure the Linux machines are up-to-date and users are not just indefinitely postponing OS updates? - Same as above but with programs/software - How do you ensure correct settings configuration in terms of security? Say default browser, extensions, program access etc? - Re-image or reinstall the OS when there are issues or PC handover to another employee? Manually with a USB stick? This kind of control exists and is needed for Linux and MacOS too. RMM is not a Windows only thing... The critics here see Intune but what if they used another RMM and they compromised another cloud RMM account? Same issue. |
|
|
|
|
| ▲ | heraldgeezer 4 hours ago | parent | prev [-] |
| >Bit of a shame all the machines had that installed really. Are you new to Windows sysadmin stuff? Or you have 0 idea whatsoever and you are just vibein? How else are we supposed to deploy/push programs and settings and in the past over SCCM, an entire OS, if the machines don't have it installed? This is also how your precious Linux tool Ansible and Puppet works btw. And MDMs like Mosyle for OSX. They need it installed. Because IT need to keep check on updates and settings and programs. But I suspect you are a rockstar dev and dont need no IT. Go on, I'll wait. mmm yeaaah just downvote me instead. Hide the wrongthink. You people need to not be so sure of yourselves. |
| |
| ▲ | JonChesterfield 3 hours ago | parent | next [-] | | An alternative is people install the software they choose to on the machines they're using. Optionally write a list of suggested programs down somewhere. In that world, there is no central IT team pushing changes to machines and arguing with developers about whether they really need to be able to run a debugger. I don't know how to keep windows machines alive. It's probably harder. | | |
| ▲ | heraldgeezer an hour ago | parent | next [-] | | That is all well and good but how do you: - Ensure the machines are up-to-date and users are not just indefinitely postponing OS updates? - Same as above but with programs/software - How do you ensure correct settings configuration in terms of security? Say default browser, extensions, program access etc? - Re-image or reinstall the OS when there are issues or PC handover to another employee? Manually with a USB stick? This kind of control exists and is needed for Linux and MacOS too. RMM is not a Windows only thing... The critics here see Intune but what if they used another RMM and they compromised another cloud RMM account? Same issue. Also, here there is no "arguing". They order the software from our portal and it gets pushed into Company Portal via Intune... Write down a list you say... idk what to say. You have only worked for small startups I gather? Nothing wrong with that but please recognize that these types of limits and programs are not deployed for fun or to ruin your day. | |
| ▲ | pjc50 2 hours ago | parent | prev | next [-] | | It's annoying, but it's also grossly irresponsible to let dev machines get compromised. Regardless of which OS they are running. | |
| ▲ | vntok 2 hours ago | parent | prev [-] | | I, for one, don't really want employees to install video games, porn cam clients, torrenting apps, shady vpn clients, crypto miners, remote access tools, dns "optimizers" and more generally viruses on their work computers. |
| |
| ▲ | pjc50 2 hours ago | parent | prev [-] | | On HN, if you have a valid point but get unnecessarily aggressive about it, people will downvote you for attitude. This mostly keeps the forum under control. | | |
| ▲ | heraldgeezer an hour ago | parent [-] | | I am sorry and I get carried away sometimes but it is frustrating seeing comments from cowboy devs saying to just give everyone admin, have an excel sheet of software and have people manage their own PC and to get rid of IT just because as here they got phished or breached. That works for a 5 person company but not a 1000 person company. Or a 10 person company with 1000 machines. |
|
|
