I've been going crazy with a co-worker who recently started, and had to share some insights from "the best security guy out there"
I mentioned to -- let's call him "Jake" -- Jake that there was a proof-of-concept for modifying the firmware that interfaces with USB to place attack payloads on them. He is our security guy. Penetration Testing, checks for exploits, etc.
This is also the same guy who wanted to make sure that IPMC was closed, and called port 25 SNMP, and just
asked me if he was allowed to XXS test my servers (XSS obviously).
I couldn't make this next bit up. His response to my proof-of-concept report was this:
At NSA we were taught how to write a specific malware that was
embeeded in an MP3 song and all users had to do was play the song from the CD
it was a virus, worm and bot altogether
I set up a virtual Kali server for him, and told him to test access using X11 forwarding (we don't give people access to the hypervisor). He opens firefox, and asks for the URL
I set up an outside server for him, and tell him to try to connect via SSH. He asks for the URL.
I explain that a domain is separate from an IP, and both are completely different than a URL. He argued against my definition.
Any time I call him on his lack of knowledge, his excuse is that I didn't make myself clear, or I didn't listen to his
My head hurts after talking to him from all the head-slapping he induces. Can anybody top my topper?
At NSA we were taught how to write a specific malware that wasembeeded in an MP3 song and all users had to do was play the song from the CD
That's technically possible, but only if the player is written by a bunch of incompetent fuckmuppets.
. . .
You've seen itunes, right?
Any time I call him on his lack of knowledge, his excuse is that I didn't make myself clear, or I didn't listen to his response
People like this are really poisonous. Especially if they're charismatic and then start on a hate campaign against you to management (because you've spotted they're a sciolist).
Isn't it toppers all the way up?
bunch of incompetent fuckmuppets
That is a perfect definition of the WinAmp ID3 tag vulnerability
came across a good py script to run to test for ShellShock vuln on
So, apparently Apache is type of OS now.
Unrelated, my forehead is getting bloody today.
If you ask him about it, it will be