I've been going crazy with a co-worker who recently started, and had to share some insights from "the best security guy out there"
I mentioned to -- let's call him "Jake" -- Jake that there was a proof-of-concept for modifying the firmware that interfacs with USB to place attack payloads on them. He is our security guy. Penetration Testing, checks for exploits, etc. This is also the same guy who wanted to make sure that IPMC was closed, and called port 25 SNMP, and just asked me if he was allowed to XXS test my servers (XSS obviously).
I couldn't make this next bit up. His response to my proof-of-concept report was this:
At NSA we were taught how to write a specific malware that was embeeded in an MP3 song and all users had to do was play the song from the CD
it was a virus, worm and bot altogether
I set up a virtual Kali server for him, and told him to test access using X11 forwarding (we don't give people access to the hypervisor). He opens firefox, and asks for the URL
I set up an outside server for him, and tell him to try to connect via SSH. He asks for the URL. I explain that a domain is separate from an IP, and both are completely different than a URL. He argued against my definition.
Any time I call him on his lack of knowledge, his excuse is that I didn't make myself clear, or I didn't listen to his response.
My head hurts after talking to him from all the head-slapping he induces.
Can anybody top my topper?