Skip to content
Do you have adblock enabled?
 
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Inc)   Maybe the internet was a spectacularly bad idea, or maybe not investing in proper internet security was a spectacularly bad idea. Same thing   (inc.com) divider line
    More: Stupid, Recent cyberattacks, Artificial intelligence, present-day artificial intelligence, premiere episode, recent podcast, Colonial Viper, Battlestar, reboot of the TV show Battlestar Galactica  
•       •       •

533 clicks; posted to Business » on 10 Jun 2021 at 12:01 PM (5 days ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook



52 Comments     (+0 »)
View Voting Results: Smartest and Funniest


Oldest | « | 1 | 2 | » | Newest | Show all

 
5 days ago  
If it were possible to program our way out of this mess, would not someone already have managed to do it?

Oof, this is dumb. One of the things I love about being a software engineer is that it's insanely in-demand.

There's no shortage of projects that get rushed because the PM - who is judged on deadlines - will always prioritize (1) Quick and (2) Cheap on the engineer's triangle.

Yes, we can program our way out of this mess. But it's going to cost money.
 
5 days ago  

MusicMakeMyHeadPound: If it were possible to program our way out of this mess, would not someone already have managed to do it?

Oof, this is dumb. One of the things I love about being a software engineer is that it's insanely in-demand.

There's no shortage of projects that get rushed because the PM - who is judged on deadlines - will always prioritize (1) Quick and (2) Cheap on the engineer's triangle.

Yes, we can program our way out of this mess. But it's going to cost money.


So much this.

Why isn't it more secure?
Why are there this many bugs?
Why don't we have all these cool features we thought of?

BECAUSE YOU WANT 3 PROGRAMMERS TO SUPPORT A MILLION LINES OF CODE YOU THUNDERING MORONS.
 
5 days ago  

MusicMakeMyHeadPound: If it were possible to program our way out of this mess, would not someone already have managed to do it?

Oof, this is dumb. One of the things I love about being a software engineer is that it's insanely in-demand.

There's no shortage of projects that get rushed because the PM - who is judged on deadlines - will always prioritize (1) Quick and (2) Cheap on the engineer's triangle.

Yes, we can program our way out of this mess. But it's going to cost money.


Ya that's right, its all the evil management. If everything was left to the godly and benevolent engineer everything in the world would be great.

Engineers would never write something insecure because it's easier
Engineers would never skip making proper backups because it's easier
Engineers would never grant more permissions than needed because it's easier

Nope, everything would be roses without management. That's why open source projects never have flaws, there's no business running it, just glorious engineers doing the right thing all the time.

Security is hard and no one want's to do it.
 
5 days ago  
Paying ransoms in Bitcoin is cheaper.
 
5 days ago  
Welp. Spotted the project manager.

/the histrionics gave it away
 
5 days ago  
My firewall drops any packets to or from about half of the internet on purpose.

This is the WAN incoming interface on my firewall. It's blocked 2MB of unsolicited traffic from China and 6.57MB from Russian addresses.

Fark user imageView Full Size


Not to mention all the other sources.
Why in this day and age we just let our internet connections be wide open for everything is a conundrum and inexplicable. Lock that shiat down. If China can do it, then we should too.

If you just hook up your router/firewall and don't do anything more than change the password, you deserve what happens.
 
5 days ago  

MusicMakeMyHeadPound: Welp. Spotted the project manager.

/the histrionics gave it away


Probably been working remotely for too long, without having anyone to hover over.
 
5 days ago  
Why not both? If you can't keep it reasonably secure, maybe it's time to look for a better way to do the things the Internet does. Shooting social media into the sun would go a long way towards tamping down the planned stupidity that's been going around, and it would give us time to do productive things instead of watch cat videos.

On my Internet 3.1, you couldn't have an anonymous identity, you couldn't send millions of anonymous packets, and you couldn't infect my system just because I visited your site.
 
5 days ago  

MusicMakeMyHeadPound: If it were possible to program our way out of this mess, would not someone already have managed to do it?

Oof, this is dumb. One of the things I love about being a software engineer is that it's insanely in-demand.

There's no shortage of projects that get rushed because the PM - who is judged on deadlines - will always prioritize (1) Quick and (2) Cheap on the engineer's triangle.

Yes, we can program our way out of this mess. But it's going to cost money.


Ethereum blockchain: Internet II
 
5 days ago  

SMB2811: MusicMakeMyHeadPound: If it were possible to program our way out of this mess, would not someone already have managed to do it?

Oof, this is dumb. One of the things I love about being a software engineer is that it's insanely in-demand.

There's no shortage of projects that get rushed because the PM - who is judged on deadlines - will always prioritize (1) Quick and (2) Cheap on the engineer's triangle.

Yes, we can program our way out of this mess. But it's going to cost money.

Ya that's right, its all the evil management. If everything was left to the godly and benevolent engineer everything in the world would be great.

Engineers would never write something insecure because it's easier
Engineers would never skip making proper backups because it's easier
Engineers would never grant more permissions than needed because it's easier

Nope, everything would be roses without management. That's why open source projects never have flaws, there's no business running it, just glorious engineers doing the right thing all the time.

Security is hard and no one want's to do it.


Ethereum blockchain: u called?
 
5 days ago  
Ethereum blockchain: global warming for lolcats
 
5 days ago  

MusicMakeMyHeadPound: Ethereum blockchain: global warming for lolcats


Not with proof of stake

Burns less than 0.5% of the power that PoW does

Nice try
 
5 days ago  

MusicMakeMyHeadPound: Ethereum blockchain: global warming for lolcats


Fark user imageView Full Size


loldog
 
5 days ago  

SpectroBoy: MusicMakeMyHeadPound: If it were possible to program our way out of this mess, would not someone already have managed to do it?

Oof, this is dumb. One of the things I love about being a software engineer is that it's insanely in-demand.

There's no shortage of projects that get rushed because the PM - who is judged on deadlines - will always prioritize (1) Quick and (2) Cheap on the engineer's triangle.

Yes, we can program our way out of this mess. But it's going to cost money.

So much this.

Why isn't it more secure?
Why are there this many bugs?
Why don't we have all these cool features we thought of?

BECAUSE YOU WANT 3 PROGRAMMERS TO SUPPORT A MILLION LINES OF CODE YOU THUNDERING MORONS.


Who is going to look out for the lazy sit at home stock owners and their free capital gains??

Fewer employees means more for them
 
5 days ago  

SpectroBoy: MusicMakeMyHeadPound: If it were possible to program our way out of this mess, would not someone already have managed to do it?

Oof, this is dumb. One of the things I love about being a software engineer is that it's insanely in-demand.

There's no shortage of projects that get rushed because the PM - who is judged on deadlines - will always prioritize (1) Quick and (2) Cheap on the engineer's triangle.

Yes, we can program our way out of this mess. But it's going to cost money.

So much this.

Why isn't it more secure?
Why are there this many bugs?
Why don't we have all these cool features we thought of?

BECAUSE YOU WANT 3 PROGRAMMERS TO SUPPORT A MILLION LINES OF CODE YOU THUNDERING MORONS.


Oh man I feel this in my SOUL! My team of five is working to put out a pretty complicated app (patient access to electronic medical records) on both major app stores by August. None of us had seriously touched Swift or Java/Kotlin until January. The PMs are giving pushback because of the slow pace of progress and I just want to scream "You're asking a team of five to do something in eight months that takes an experienced team of a dozen almost a year to do, WHILE WE'RE LEARNING THE LANGUAGE! Of course it's farking taking a while, you dipasses!"
 
5 days ago  

SMB2811: MusicMakeMyHeadPound: If it were possible to program our way out of this mess, would not someone already have managed to do it?

Oof, this is dumb. One of the things I love about being a software engineer is that it's insanely in-demand.

There's no shortage of projects that get rushed because the PM - who is judged on deadlines - will always prioritize (1) Quick and (2) Cheap on the engineer's triangle.

Yes, we can program our way out of this mess. But it's going to cost money.

Ya that's right, its all the evil management. If everything was left to the godly and benevolent engineer everything in the world would be great.

Engineers would never write something insecure because it's easier
Engineers would never skip making proper backups because it's easier
Engineers would never grant more permissions than needed because it's easier

Nope, everything would be roses without management. That's why open source projects never have flaws, there's no business running it, just glorious engineers doing the right thing all the time.

Security is hard and no one want's to do it.


Yeah.... no. Sorry. After more than three decades, I've had to watch as security was discarded in expediency. I know, because I've described at least one instance, on Fark, where I helped to cover up serious security flaws in a product precisely because it was shipped over the protests of the devs and testers who identified & escalated those flaws. They were told, quite simply, that it's too late to fix it and that we're just going to have to tell customers how to avoid the flaws by illustrating all the ways it could be implemented safely and NEVER TELLING THEM about the unsafe implementations. I've spent the last two decades writing around similar flaws for smaller companies because I was ordered to do so, but that one instance, 18 years ago, still rankles.

Yes, engineers really do want to do the right thing on a regular basis, and, yes, they're regularly told by PMs that it's more important to hit a date than to plug a hole.
 
5 days ago  
I just received an email to my work account, someone found out from their associates LinkedIn that we use a competitors backup service and he thought he should reach out.

Google tells me that his company just paid a ransom of 2.6m after they got hit in April.

Yeah first, don't cold contact me. Second, I don't think we'll use your service regardless.
 
5 days ago  

xalres: The PMs are giving pushback because of the slow pace of progress and I just want to scream "You're asking a team of five to do something in eight months that takes an experienced team of a dozen almost a year to do


comb.ioView Full Size
 
5 days ago  

logieal: My firewall drops any packets to or from about half of the internet on purpose.

This is the WAN incoming interface on my firewall. It's blocked 2MB of unsolicited traffic from China and 6.57MB from Russian addresses.

[Fark user image 619x504]

Not to mention all the other sources.
Why in this day and age we just let our internet connections be wide open for everything is a conundrum and inexplicable. Lock that shiat down. If China can do it, then we should too.

If you just hook up your router/firewall and don't do anything more than change the password, you deserve what happens.


Jesus, I knew Microsoft was a big deal, but when did it become its own country??
 
5 days ago  

logieal: My firewall drops any packets to or from about half of the internet on purpose.

This is the WAN incoming interface on my firewall. It's blocked 2MB of unsolicited traffic from China and 6.57MB from Russian addresses.

[Fark user image 619x504]

Not to mention all the other sources.
Why in this day and age we just let our internet connections be wide open for everything is a conundrum and inexplicable. Lock that shiat down. If China can do it, then we should too.

If you just hook up your router/firewall and don't do anything more than change the password, you deserve what happens.


Locking down your firewall to prevent inbound connections is easy.  The problems come from the holes that you poke through to allow inbound access to sites that you host and to allow outbound connections from behind your firewall to other sites.  If someone downloads a malicious payload that opens an outbound connection to a control server outside your firewall, inbound rules don't mean jack.  And in a large corporation, admins aren't going to go through the pain of whitelisting every external site.

Furthermore, there is a line of thought that critical infrastructure should be placed on completely air-gapped networks.  Any network with a path to an untrusted network is a potential security threat.  From there you can have various policies that restrict what devices can attach to the network, if encryption should be used, and what peripherals can be attached to those devices.

But even if you protect the "critical" stuff, you can still find yourself in a mess if some other system is hacked.  In the case of the recent attack against a fuel distributor, it was their billing system that was supposedly infected.  They took everything down, in part, because they couldn't bill their customers for the fuel they were distributing and didn't want to deal with it manually.
 
5 days ago  

xalres: My team of five is working to put out a pretty complicated app (patient access to electronic medical records) on both major app stores by August.


Oh, well, geez, that's just persistent personal health information.  I'm sure nobody in the wild would use that for nefarious purposes.  You should really just crap the app out as soon as possible so management can get their bonuses.

<.<

>.>
 
5 days ago  

Dinjiin: logieal: My firewall drops any packets to or from about half of the internet on purpose.

This is the WAN incoming interface on my firewall. It's blocked 2MB of unsolicited traffic from China and 6.57MB from Russian addresses.

[Fark user image 619x504]

Not to mention all the other sources.
Why in this day and age we just let our internet connections be wide open for everything is a conundrum and inexplicable. Lock that shiat down. If China can do it, then we should too.

If you just hook up your router/firewall and don't do anything more than change the password, you deserve what happens.

Locking down your firewall to prevent inbound connections is easy.  The problems come from the holes that you poke through to allow inbound access to sites that you host and to allow outbound connections from behind your firewall to other sites.  If someone downloads a malicious payload that opens an outbound connection to a control server outside your firewall, inbound rules don't mean jack.  And in a large corporation, admins aren't going to go through the pain of whitelisting every external site.

Furthermore, there is a line of thought that critical infrastructure should be placed on completely air-gapped networks.  Any network with a path to an untrusted network is a potential security threat.  From there you can have various policies that restrict what devices can attach to the network, if encryption should be used, and what peripherals can be attached to those devices.

But even if you protect the "critical" stuff, you can still find yourself in a mess if some other system is hacked.  In the case of the recent attack against a fuel distributor, it was their billing system that was supposedly infected.  They took everything down, in part, because they couldn't bill their customers for the fuel they were distributing and didn't want to deal with it manually.


I have the same rules in place for outgoing. But yes, you can only block so much.

Airgapping only works if those computers are never touched by human hands.

xanadian: logieal: My firewall drops any packets to or from about half of the internet on purpose.

This is the WAN incoming interface on my firewall. It's blocked 2MB of unsolicited traffic from China and 6.57MB from Russian addresses.

[Fark user image 619x504]

Not to mention all the other sources.
Why in this day and age we just let our internet connections be wide open for everything is a conundrum and inexplicable. Lock that shiat down. If China can do it, then we should too.

If you just hook up your router/firewall and don't do anything more than change the password, you deserve what happens.

Jesus, I knew Microsoft was a big deal, but when did it become its own country??


They like to think they are.
 
5 days ago  

xanadian: xalres: My team of five is working to put out a pretty complicated app (patient access to electronic medical records) on both major app stores by August.

Oh, well, geez, that's just persistent personal health information.  I'm sure nobody in the wild would use that for nefarious purposes.  You should really just crap the app out as soon as possible so management can get their bonuses.

<.<

>.>


LOL. Luckily all the login security and token management is handled through third party libraries, but just getting them implemented is a biatch and a half. I'm glad I'm only working on locations & maps and live parking info...for now.
 
5 days ago  
"Hello Mr. Security Guy, can you make me cyber secure?"
"Maybe, what how do you use computing & data to make money?"
"Huh?"
"What is your data worth and how much money do you lose for every hour of downtime?"
"Whaaa?"
<Sight> "Ok, whatever. Here, buy product X at 300% markup"
 
5 days ago  

Dinjiin: And in a large corporation, admins aren't going to go through the pain of whitelisting every external site.


Sure they will.  Up until I moved to the non-profit world 3-years ago, I worked in IT for a global chemical company.  No Production server had Internet access except for the actual webservers, which were on their own network.  When we submitted firewall requests we had to provide both a source and a destination IP address and port(s).  If a vendor said their product required general Internet access we just laughed at them.
 
5 days ago  

logieal: I have the same rules in place for outgoing. But yes, you can only block so much.


Blocking all inbound and outbound connections to untrusted nations only provides so much security because of the issue with third parties outside of that block who can act as proxies.  It helps reduce the frequency, but it doesn't prevent it.

logieal: Airgapping only works if those computers are never touched by human hands.


You still have the internal threat vector, yes.  However, it helps reduce the frequency of threats since internal threats tend to be less frequent.  Just like your blocklist, it is all about minimizing because as your point out, human hands are always an issue that can never be fully eliminated.

And I like to think that the point of this conversation is to suggest that most organizations still have a huge arsenal of tools still on the table that they haven't used because of cost, time, or inconvenience.
 
5 days ago  
Wow that was a stupid read. As in, I need to find a brick wall to pound my head against so I'll feel better level of stupid read.

Deep breath.

Risk analysis is broken. Traditional risk analysis thinks about MTBF for hardware, probability of 100 year floods, "juice ain't worth the squeeze" level of effort for a particular illegal effort, etc.

There should have been a wakeup call when spam mail was a thing. Basically, once you spend the effort to set things in motion, the success rate doesn't have to be all that high in order for the effort to be worth it.

Now you set up botnets with distributed command and control centers, and pummel everything until you find an issue. If you have to try a million times, no big deal because it's all automated. All you need is one "hit", and it's party time.

You can buy frameworks with support contracts to build this stuff. It's an industry. With a little knowledge, you can use open source software to do most of this stuff as well.

I recently had to explain this to a CTO and CEO. I was not about to let them put out a web application that uncritically reflected user input in an email or PDF report.

I said, all someone would have to do is discover the API, embed nasty URLs in the mail or PDF, and then have the server send them out. Since the mail comes from an official site, users will click on the links and get owned. When the audit trail is finally done, you're going to be looking at a huge liability cost at a minimum.

The CEO and CTO didn't believe me. 15 minutes later, they started receiving mail from the test server with embedded porn site links, as well as spurious messages. That went on for about a day, with them getting random messages at random times with random information.

Perl is a nice tool.

They then claimed that I was a "genius" with "inside knowledge" and no outside hacker could do what I did. I showed the CTO the 10 line Perl program.

The developers were instructed to validate information the next day.

And this is just basic stuff . . .

TLDR: penny wise and pound foolish.
 
5 days ago  

fortheloveofgod: Dinjiin: And in a large corporation, admins aren't going to go through the pain of whitelisting every external site.

Sure they will.  Up until I moved to the non-profit world 3-years ago, I worked in IT for a global chemical company.  No Production server had Internet access except for the actual webservers, which were on their own network.  When we submitted firewall requests we had to provide both a source and a destination IP address and port(s).  If a vendor said their product required general Internet access we just laughed at them.


I'm not talking about production servers in a CAN.  I'm talking about the desktops and laptops that employees use for everyday tasks.  Outside of security sensitive organizations, the norm is usually to allow-all and then block specific classifications of sites.
 
5 days ago  

GitOffaMyLawn: They then claimed that I was a "genius" with "inside knowledge" and no outside hacker could do what I did.


That would have been a perfect time to say, "Oh good, I've been meaning to talk about a raise, so let's discuss that now."

You wouldn't get a raise but it'd at least be hilarious seeing them walk back their previous statements :P
 
5 days ago  

MusicMakeMyHeadPound: GitOffaMyLawn: They then claimed that I was a "genius" with "inside knowledge" and no outside hacker could do what I did.

That would have been a perfect time to say, "Oh good, I've been meaning to talk about a raise, so let's discuss that now."

You wouldn't get a raise but it'd at least be hilarious seeing them walk back their previous statements :P


I'm a consultant. My rates just doubled.
 
5 days ago  
There are no reasons, whatsoever, to have the computers that control your production equipment connected to the internet.  That goes for manufacturing and for utilities.  While you are at it, disable the USB ports and other ways for users to connect random devices to the production network.
 
5 days ago  

Dinjiin: logieal: I have the same rules in place for outgoing. But yes, you can only block so much.

Blocking all inbound and outbound connections to untrusted nations only provides so much security because of the issue with third parties outside of that block who can act as proxies.  It helps reduce the frequency, but it doesn't prevent it.

logieal: Airgapping only works if those computers are never touched by human hands.

You still have the internal threat vector, yes.  However, it helps reduce the frequency of threats since internal threats tend to be less frequent.  Just like your blocklist, it is all about minimizing because as your point out, human hands are always an issue that can never be fully eliminated.

And I like to think that the point of this conversation is to suggest that most organizations still have a huge arsenal of tools still on the table that they haven't used because of cost, time, or inconvenience.


Yeah, I've thought about also trying to track down and make a list of VPN and TOR node IP addresses and add to the list. But at some point, it's fruitless.

At the other end, I keep copious backups of things. And I keep anything that I really want to save on my FreeBSD box.
 
5 days ago  

Dinjiin: fortheloveofgod: Dinjiin: And in a large corporation, admins aren't going to go through the pain of whitelisting every external site.

Sure they will.  Up until I moved to the non-profit world 3-years ago, I worked in IT for a global chemical company.  No Production server had Internet access except for the actual webservers, which were on their own network.  When we submitted firewall requests we had to provide both a source and a destination IP address and port(s).  If a vendor said their product required general Internet access we just laughed at them.

I'm not talking about production servers in a CAN.  I'm talking about the desktops and laptops that employees use for everyday tasks.  Outside of security sensitive organizations, the norm is usually to allow-all and then block specific classifications of sites.


That is true.  But if done properly a breach should only take down the workstations.  Workstations should be on a separate subnet than the rest of your infrastructure.  And you shouldn't have to pay ransom to recover workstations.  Any company worth their salt has images that can be pushed out to restore those in a matter of time.  Of course, it is not perfect.  Short of disconnecting your business from the internet, you face a risk.  The point is there are ways to effectively mitigate that risk.  And as others have pointed out, many time those mitigation efforts are bypassed due to cost & time saving demands from upper management.

When I took over as the IT Director at the non-profit I moved to, I was aghast at the complete lack of security.  I mean complete lack of.  It took me two years to plug the holes.  I'd be willing to bet this is more common than not.
 
5 days ago  

BullBearMS: There are no reasons, whatsoever, to have the computers that control your production equipment connected to the internet.  That goes for manufacturing and for utilities.  While you are at it, disable the USB ports and other ways for users to connect random devices to the production network.


Watchew spec dem ta do ya moran??
 
5 days ago  

Dinjiin: fortheloveofgod: Dinjiin: And in a large corporation, admins aren't going to go through the pain of whitelisting every external site.

Sure they will.  Up until I moved to the non-profit world 3-years ago, I worked in IT for a global chemical company.  No Production server had Internet access except for the actual webservers, which were on their own network.  When we submitted firewall requests we had to provide both a source and a destination IP address and port(s).  If a vendor said their product required general Internet access we just laughed at them.

I'm not talking about production servers in a CAN.  I'm talking about the desktops and laptops that employees use for everyday tasks.  Outside of security sensitive organizations, the norm is usually to allow-all and then block specific classifications of sites.


Or they could run Linux.
 
5 days ago  

fortheloveofgod: Dinjiin: And in a large corporation, admins aren't going to go through the pain of whitelisting every external site.

Sure they will.  Up until I moved to the non-profit world 3-years ago, I worked in IT for a global chemical company.  No Production server had Internet access except for the actual webservers, which were on their own network.  When we submitted firewall requests we had to provide both a source and a destination IP address and port(s).  If a vendor said their product required general Internet access we just laughed at them.


So ur saying its a network design thing........interesting.  ((:::
 
5 days ago  

xanadian: logieal: My firewall drops any packets to or from about half of the internet on purpose.

This is the WAN incoming interface on my firewall. It's blocked 2MB of unsolicited traffic from China and 6.57MB from Russian addresses.

[Fark user image 619x504]

Not to mention all the other sources.
Why in this day and age we just let our internet connections be wide open for everything is a conundrum and inexplicable. Lock that shiat down. If China can do it, then we should too.

If you just hook up your router/firewall and don't do anything more than change the password, you deserve what happens.

Jesus, I knew Microsoft was a big deal, but when did it become its own country??


When they bought the right reps on capital hill.
 
5 days ago  

xalres: SpectroBoy: MusicMakeMyHeadPound: If it were possible to program our way out of this mess, would not someone already have managed to do it?

Oof, this is dumb. One of the things I love about being a software engineer is that it's insanely in-demand.

There's no shortage of projects that get rushed because the PM - who is judged on deadlines - will always prioritize (1) Quick and (2) Cheap on the engineer's triangle.

Yes, we can program our way out of this mess. But it's going to cost money.

So much this.

Why isn't it more secure?
Why are there this many bugs?
Why don't we have all these cool features we thought of?

BECAUSE YOU WANT 3 PROGRAMMERS TO SUPPORT A MILLION LINES OF CODE YOU THUNDERING MORONS.

Oh man I feel this in my SOUL! My team of five is working to put out a pretty complicated app (patient access to electronic medical records) on both major app stores by August. None of us had seriously touched Swift or Java/Kotlin until January. The PMs are giving pushback because of the slow pace of progress and I just want to scream "You're asking a team of five to do something in eight months that takes an experienced team of a dozen almost a year to do, WHILE WE'RE LEARNING THE LANGUAGE! Of course it's farking taking a while, you dipasses!"


Why do u hate freedom and state capitalism??
 
5 days ago  

fortheloveofgod: When we submitted firewall requests we had to provide both a source and a destination IP address and port(s).


Blacklists for malicious traffic can never work.  The malicious software will always change faster than you can update a blacklist.

You have to do the hard work of figuring out which machines need to talk to each other and what ports they use during normal operation, and allow only that traffic on the network.
 
5 days ago  
Well, that was a spectacularly bad article so...
 
5 days ago  

MusicMakeMyHeadPound: If it were possible to program our way out of this mess, would not someone already have managed to do it?

Oof, this is dumb. One of the things I love about being a software engineer is that it's insanely in-demand.

There's no shortage of projects that get rushed because the PM - who is judged on deadlines - will always prioritize (1) Quick and (2) Cheap on the engineer's triangle.

Yes, we can program our way out of this mess. But it's going to cost money.


I see you estimated this at 8000 hours. Well, we had to bid 3000 hours to win the contract but we are willing to take the loss now to earn more business in the future. (a few months later....) Why are we over budget?!
 
5 days ago  

BullBearMS: fortheloveofgod: When we submitted firewall requests we had to provide both a source and a destination IP address and port(s).

Blacklists for malicious traffic can never work.  The malicious software will always change faster than you can update a blacklist.

You have to do the hard work of figuring out which machines need to talk to each other and what ports they use during normal operation, and allow only that traffic on the network.


Wasn't talking about blacklists.  Was talking about whitelists, the opposite.  ALL traffic to and from the Internet (and all other internal networks) except for these specific IP addresses and ports that we list.  So the part I bolded is what I am referring to.
 
5 days ago  
This is all easily fixed with 2 factor authentication. For instance, I get on my phone and go to my bank's website and enter the stored password (1 factor), then I get a text message on my phone with a number I put into the bank's website to verify it is me (2 factor). See? Completely foolproof 2 factor authentication!
 
5 days ago  

fortheloveofgod: Dinjiin: fortheloveofgod: Dinjiin: And in a large corporation, admins aren't going to go through the pain of whitelisting every external site.

Sure they will.  Up until I moved to the non-profit world 3-years ago, I worked in IT for a global chemical company.  No Production server had Internet access except for the actual webservers, which were on their own network.  When we submitted firewall requests we had to provide both a source and a destination IP address and port(s).  If a vendor said their product required general Internet access we just laughed at them.

I'm not talking about production servers in a CAN.  I'm talking about the desktops and laptops that employees use for everyday tasks.  Outside of security sensitive organizations, the norm is usually to allow-all and then block specific classifications of sites.

That is true.  But if done properly a breach should only take down the workstations.  Workstations should be on a separate subnet than the rest of your infrastructure.  And you shouldn't have to pay ransom to recover workstations.  Any company worth their salt has images that can be pushed out to restore those in a matter of time.  Of course, it is not perfect.  Short of disconnecting your business from the internet, you face a risk.  The point is there are ways to effectively mitigate that risk.  And as others have pointed out, many time those mitigation efforts are bypassed due to cost & time saving demands from upper management.

When I took over as the IT Director at the non-profit I moved to, I was aghast at the complete lack of security.  I mean complete lack of.  It took me two years to plug the holes.  I'd be willing to bet this is more common than not.


If by "subnet" you actually mean "security zone", then yes.  Because a basic L3 router is not a security device.

Otherwise, yes, I agree with you.
 
5 days ago  

MusicMakeMyHeadPound: Welp. Spotted the project manager.

/the histrionics gave it away


PM: You COULD make it secure, you're lazy!
Eng: Ok, it will take 4 more months and we need to pay for a pen test
PM: We don't have 4 months and we don't have the money for a pen test
Eng: Ok, so back to the original plan?
PM: You COULD do it if you wanted to!
 
5 days ago  

Russell_Secord: Why not both? If you can't keep it reasonably secure, maybe it's time to look for a better way to do the things the Internet does. Shooting social media into the sun would go a long way towards tamping down the planned stupidity that's been going around, and it would give us time to do productive things instead of watch cat videos.

On my Internet 3.1, you couldn't have an anonymous identity


You might want to think about occasions where it's not safe for people to use their real names. That's why every attempt so far to do so has ended badly.
 
5 days ago  

SpectroBoy: MusicMakeMyHeadPound: Welp. Spotted the project manager.

/the histrionics gave it away

PM: You COULD make it secure, you're lazy!
Eng: Ok, it will take 4 more months and we need to pay for a pen test
PM: We don't have 4 months and we don't have the money for a pen test
Eng: Ok, so back to the original plan?
PM: You COULD do it if you wanted to!


I've had a couple of good PMs in the past but they're outnumbered by the awful ones by at least ten to one.

PM: "How long do you think it'll take you?"
Me: "8 hours. Assumptions include not --"
PM: "You have 3."
Me: "I just told you eight."
PM: "And I just told you three."
Me: "So why did you ask me how long it'd take in the first place?"
PM: "I thought you were the expert."

Later: 
PM: "How long do you think it'll take you?"
Me: "5 minutes."
PM: "What?! Wow, really?"
Me: "Haha no, but since it doesn't matter what my input is anyways I thought it'd be funny."

/got a talking to about a bad attitude for some reason
 
5 days ago  

Linux_Yes: xalres: SpectroBoy: MusicMakeMyHeadPound: If it were possible to program our way out of this mess, would not someone already have managed to do it?

Oof, this is dumb. One of the things I love about being a software engineer is that it's insanely in-demand.

There's no shortage of projects that get rushed because the PM - who is judged on deadlines - will always prioritize (1) Quick and (2) Cheap on the engineer's triangle.

Yes, we can program our way out of this mess. But it's going to cost money.

So much this.

Why isn't it more secure?
Why are there this many bugs?
Why don't we have all these cool features we thought of?

BECAUSE YOU WANT 3 PROGRAMMERS TO SUPPORT A MILLION LINES OF CODE YOU THUNDERING MORONS.

Oh man I feel this in my SOUL! My team of five is working to put out a pretty complicated app (patient access to electronic medical records) on both major app stores by August. None of us had seriously touched Swift or Java/Kotlin until January. The PMs are giving pushback because of the slow pace of progress and I just want to scream "You're asking a team of five to do something in eight months that takes an experienced team of a dozen almost a year to do, WHILE WE'RE LEARNING THE LANGUAGE! Of course it's farking taking a while, you dipasses!"

Why do u hate freedom and state capitalism??


Because I am a socialist libturd
 
5 days ago  

MusicMakeMyHeadPound: SpectroBoy: MusicMakeMyHeadPound: Welp. Spotted the project manager.

/the histrionics gave it away

PM: You COULD make it secure, you're lazy!
Eng: Ok, it will take 4 more months and we need to pay for a pen test
PM: We don't have 4 months and we don't have the money for a pen test
Eng: Ok, so back to the original plan?
PM: You COULD do it if you wanted to!

I've had a couple of good PMs in the past but they're outnumbered by the awful ones by at least ten to one.

PM: "How long do you think it'll take you?"
Me: "8 hours. Assumptions include not --"
PM: "You have 3."
Me: "I just told you eight."
PM: "And I just told you three."
Me: "So why did you ask me how long it'd take in the first place?"
PM: "I thought you were the expert."

Later: 
PM: "How long do you think it'll take you?"
Me: "5 minutes."
PM: "What?! Wow, really?"
Me: "Haha no, but since it doesn't matter what my input is anyways I thought it'd be funny."

/got a talking to about a bad attitude for some reason


Funny.

I had one PM who when he asked how long I would only answer "you tell me, you have never accepted one of my numbers since I started here"
 
5 days ago  

GitOffaMyLawn: Perl is a nice tool.


Username checks out.

/Perl rocks
 
Displayed 50 of 52 comments


Oldest | « | 1 | 2 | » | Newest | Show all


View Voting Results: Smartest and Funniest

This thread is closed to new comments.

Continue Farking




On Twitter


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.