
Fresh Pcaps, Free for the Asking - lflux
http://rachelbythebay.com/w/2019/10/20/sniff/
======
curryst
I am consistently surprised at how often AAA is left as something to be
implemented after perceived "core functionality". Organizational rules should
stipulate that MVP's must contain AAA, because I would argue anything that
doesn't is not a "viable product".

I think it's partially that it usually involves bringing another team into the
loop, which can expose your design before you're really ready to share it.
I've caused that problem myself; Okta was the accepted SSO solution, but
getting creds to auth with it involved talking to Security and going through a
review which would take at least 2 weeks, and then a week of actually waiting
for it to come through.

I really wish more companies using Okta allowed some kind of a mode that is
analogous to LDAP allowing anonymous queries for username/password checks. I
don't need something that pulls down all the user info, just something that
says "given this username and password, is it valid for someone". Rate limit
me to 1QPS to prevent brute forcing passwords, that's fine, at least I can PoC
with actual auth.

------
londons_explore
_If_ your architecture is well designed, no data goes over the wire
unencrypted, and therefore these pcaps posed no security risk.

 _If_ the system was well designed, it would have had _tests_ that no data was
sent unencrypted. For example, port scanners, entropy analysis of packet
captures, etc.

Not allowing packet captures by any random Joe is just defense in depth at
that point.

~~~
wging
"just" defense in depth? Why not also say, "Our network is so well-architected
that no one can sniff our packets, so even if data is not encrypted, that's
not a problem." The answer is that things break, tests can fail to test what
you think they are testing, you need these layers because something like this
(at least in spirit) _will_ happen at some point.

