334 comments

[ 4.1 ms ] story [ 302 ms ] thread
What you gonna do about it?
You mean the last three paragraphs titled "So what am I going to do about it?"?
As well he should be. So should we all.
This is the down-side of artificial scarcity for software. The upside is that sweet sweet green. If you could remain cynical a few years longer, scrimp and save like 10 years of a comfy mid 6 figure salary, you'd stop caring about the BS, and you'd might even learn to love it (or even contribute to it!) After all, nothing quite feels as good as being a well-paid expert in a complicated field, especially when it grows more complicated over time.

It's offensive, and it's not how it should be, it's a "defect/defect" Nash equilibrium when we should be going for "cooperate/cooperate". So kudos to you for fighting the good fight - you deserve to win.

> artificial scarcity for software

Can you elaborate on this? Why would you say there is artificial scarcity for software?

(comment deleted)
I assume they're talking about the fact that software can be replicated at no cost but is constrained by pricepoints, encrypted code, licensing agreements, versioning flags, and so on. It's been artificially constrained in code.
Correct. Although the constraints often involve code, they don't have to. Enterprise license agreements are ultimately enforced with threat of legal action, coin-op arcade games by a physical mechanism, for example.
Software costs ~0 to copy and distribute absolutely perfect copies, world-wide. To drive the price up you create artificial scarcity, mostly rooted in IP law.

Important note for HN readers: 'driving the price up' is a net benefit for programmers. Artificial scarcity is why you get paid big bucks.

Interestingly, data is legitimately scarce. But that's a discussion for another time...

Copy and distribution costs are just a part of the cost. Development and maintenance does require real flesh and blood people spending their days working on developing, building, and deployment. That part costs money.
You tacitly assume that I am not aware that software products have an R&D cost, and you are (insultingly) wrong. Of course they do. And without artificial scarcity that R&D cost will not be recouped. The default state of software is an open source model, where the "developing, building, and deployment" doesn't cost money because there isn't any.
Copy and distribution costs for movies in a digital age are non existant. Are movies using artificial scarcity?
That movies are almost impossible to buy DRM-free should give you a hint ?
The artificial scarcity applies to copies of an individual piece of software, rather than the scarcity of different pieces of software.

Once you build it, almost the only way to achieve scarcity is through IP law.

There is a ton of free software. Price is not up just because of IP law. It's up because running and maintaining Wikipedia for example has a price even though most of the stack is free.
> Artificial scarcity is why you get paid big bucks.

You are assuming that my software is distributed.

Look 50 years ago you got a catalog from sears. You mailed a check, someone opened it, your order went to the warehouse, the check went to the bank, your items got picked packed and shipped.

The software I spent a good part of my career writing got rid of a LOT of people from that scenario. The hardware and software combination that is the ATM got rid of many tellers. MP3's killed record stores.

If you find a programer old enough, they will insult you by saying "I will replace you with a very small shell script". Many of us built software to replace people, many of us continue that. Our value is literally reducing costs and "enabling scale" at a massive discount. For those of us that do this sort of work, we are massively underpaid when compared to the manual processes that are replaced or never have to happen.

> Important note for HN readers: 'driving the price up' is a net benefit for programmers.

Well no, if it is hard to get software written people just won't bother. Most programmers will benefit from a commoditise-the-complement strategy where everyone is using software and need to hire programmers to tweak it to their exact needs.

The money is in support & hardware. Trying to primarily compete on software price is pretty risky; Open Source is quite competitive. The big paying companies in software (Googles, etc, of the world) don't particularly leverage IP law in their strategies. Even with players like Microsoft, artificial scarcity of their traditional primary products (Windows, Office) would be the kiss of death to the company.

I think there is some economic theory that states the price of products will tend towards the marginal cost over time. I haven't seen anything that makes me think software is any different.

I don't think there is much profit in hardware, most companies seem to work on razor thin margins.

> I don't think there is much profit in hardware, most companies seem to work on razor thin margins.

Consider that Apple is America's most profitable corporation. They do squeeze people with software restrictions; and it is a core part of their strategy. But the focus of Apple has never been 'our software is rare', it has always been 'faster processor, thinner phone, better screen'. The artificial restrictions on the software aren't at all beneficial to the software or the programmers; they are part of a strategy to make the hardware more valuable. It is a strategic element to help their hardware resist the commodification of smartphones.

If they had inferior hardware then the restricted software strategy would see them crushed under the booted heal of groups like Samsung.

Apple does seem to be the exception, that's why I did say "most companies".
The big paying companies in software aren't in the software business, they're in the data business. The software is a (very cheap, to them) loss leader.
Quality software is scarce, though. Even in a world without copyright, or a world in which copyright does not apply to pure information like source code, it would still be difficult to produce short effective code (because finding short effective code is NP-complete!) and so some of us would still be employed without difficulty.
What about those of us who don't get crazy compensations, but instead work at a midsized company selling a "security" product? All of the complexity in my field comes from stupidity, either by certifiers, or legacy protocols that can't die or sales people playing "defect/defect" with oneanother so nobody fucking talks with each other. If the complexity at least came from software I would have a reason for my knowledge to feel valuable outside my specific domain.
Well, it sounds like you need to be learning things outside your domain in the hopes of entering the job market. Sometimes you can't fix the game.

BTW I'm quite wary of "security products" for enterprise; it reeks of antivirus software writ large. That said I can see some benefit to services like audits, or even things like honey pots or "dark net scans" for detecting leaks. But something tells me that's not what you're talking about...

> BTW I'm quite wary of "security products" for enterprise; it reeks of antivirus software writ large. That said I can see some benefit to services like audits, or even things like honey pots or "dark net scans" for detecting leaks. But something tells me that's not what you're talking about...

The product itself is quite reasonable on paper [1]. (And, yes, it would provide value even if all of the software industry would ramp up their security practices, so it's not a band aid like antivirus software.) The execution is the problem. Despise selling "nation state attacker secure" appliances, we are not internally focusing on producing a high security product but give priority to certifications and features. The disconnect between marketed identity and day-to-day developer experience is breathtakingly depressing... at least to those of us who have an interest in security. Management doesn't care of course. It sells (because of certification and little alternatives on the market), so all is well.

[1] Sorry for being so vague. Given the set of statements I've given already, anything more would make me personally identifiable to my coworkers.

The real knowledge you can gain is:

* Understand the true desired outcome

* Own delivering it

People who can't do the former are naive. People who can't do the latter are unambitious. You can go through life just fine being both.

I think this person should seek happiness in ways that don't involve technology.
>I'm pissed off that my clients don't seem to take it seriously, and I'm pissed off that the vendors don't seem to want to help.

Yes, I 100% agree with your assessment of this person's post. They are running into what I would call, "the horrible realities of business", which have nothing to do with putting in too many hard hours at work and everything to do with being forced to deal with unethical/deliberately lazy people in the day to day of being a worker

They’re expecting greatness from everyone around them. That would drive me crazy as well. My mental health is too important to be idealistic anymore.
When I was in my early 20s I couldn’t understand why people were so jaded about anything. A decade later and, I understand.

People don’t give a damn and it’s mind-boggling. All you can do is shake your head and continue with your day.

I don't think they are unhappy. I think they see an opportunity, and this is a setup for an upcoming post where they announce the new product to fix the concerns.
Any Wordpress site is essentially a hacker honeypot that will ultimately cost your organization far more than it might save you if you actually try to use it as a content management system. WP should come pre-configured with the very good "WP Cerber" security plugin, and force you to choose a random login URL. Otherwise it's only a matter of time before you are hacked. 5,000,000 lines of auto-updating PHP? Good luck securing that. I have been forced to support 2 WP websites for the last 2 years and they are attacked thousands of times a day simply because they report themselves to the world they are Wordpress sites. WP Cerber allows you to upload the original code for plugins and themes and can then scan them for unexpected changes. The effort required to maintain the security of Wordpress FAR exceeds any value you might extract from it being "Free".
I asked my SO recently how she view the Internet, what it is and how it works. She was honest and told me that, "If I click this button, this websites loads. If that works I'm fine! If it doesn't I will call you. Don't stop working with IT please, if you get it, we need you badly!"

I believe that is a good reason to be accepting towards the current state of affairs. People just don't care. They have more important issues to deal with, deadlines to meet, problems to face.

If you are frustrated and pissed off, great. That means you get it, and that's great!

Now, meditate -- the journey to a perfect secure world will take some time, like beyond your current life span. It's not until you accept that reality that you will make real change globally. Because it takes time, a lot of time.

Thanks for your effort so far.

> the journey to a perfect secure world will take some time

The author argues that it will never happen because we are WORSE today than we were before and I agree with that.

Thing is, it took me a long time to accept that people not caring was ok.

Now I realize that my dad is frustrated I never learned something as simple as changing the oil on my car.

My mom does not understand how I can't name more than two flowers and can't bake a pie.

My legal-minded friends are astounded I do not take a day to work on my legal status to pay less taxes. Hell, my wife does the paperwork I am not even sure of the tax rate we are paying.

And yet, I see myself as pretty curious, jack of all trade. I understand many things about CS, mechanics, electronics, manufacturing, politics, economics, ecology... We live in a complex world and we rely on each other to make it work.

Love each other, we really depend on each other, it is easier if we don't consider others stupid for choosing different areas of skills.

Thanks, this summarizes my thoughts quite neatly.

And most importantly, love yourself and don't let others disinterest get to your spirit of making good.

Just wanted to say this is a really good comment, thanks for putting it out there.
Thanks, you made my day :-)
I can't accept that not caring is ok. The small "I don't care" extends into "I don't care about anything outside my immediate environment" and that has political and eventually global consequences.

If their bank account is drained they will care, and get angry, and then maybe do something (but preferably the bank will recompense them in which case they feel better and go back to not caring).

Some stuff you just can't do; as you say the world's too large, but many people don't want to put in the effort to learn stuff that would benefit them immediately, never mind over the longer term.

I really do not understand people.

"I really do not understand people."

Indeed.

> If their bank account is drained they will care

For people living in the US, that's just basically an act of God now. The refusal to have a decent ID system has made identity theft laughably easy. Even with top-notch computer security, if you have ever shopped online or swiped a card in a shop that doesn't do in-depth background checks of its employee, you are at risk.

> many people don't want to put in the effort to learn stuff that would benefit them immediately

I take it you're not counting yourself in that group? Have you already learned everything that would benefit you immediately?

It would be a better question if you asked it fairly: "Have you already learned everything". I did not suggest or imply 'everything' should be learnt.
That's fair. Your comment would also be better if you quoted me fairly and didn't cut off the second half of my question.

"Everything" and "Everything that would benefit you immediately" are not the same thing. But I don't think there's much to gain from more bickering here, let me just retract my comment.

That's very civil of you, upvoted. OK, now I can answer. It's all a balance of investment, payback (which can be direct - "gets me a job" - and nebulous life-quality stuff - "that's interesting!") and erm, my lifespan.

I try to make those tradeoffs consciously. If I decide x is valuable but boring, these days I'll measure it against other priorities, if it wins I force myself to do it.

So I try. It's an acquired skill which I'm still working on.

What you call an acquired skill is a heuristic most people do unconsciously.
People always do the right thing and don't dither, don't procrastinate, always evaluate the long term consequences? Sure they do.
> I really do not understand people.

Well, then learning more about people's psychology and motivations seems like a thing you could benefit from immediately :)

I realise people don't care. I don't understand how they can so freely ignore that this has consequences and not always even long term ones.

Given that I do recognise people won't change, would it help if I did learn to understand their builtin magic curtain / SEP field[0]?

I ask with no hope any more, what do you advise?

[0] https://en.wikipedia.org/wiki/SEP_field

It's like a runner that runs laps, if they can keep going they will. Sometimes they need support but then they only do a pit stop. Getting information or acquire a skill with that state of mind makes you only learn what seems essential to you.

Being acceptant of that has the upside that you don't need to know the background of a given individual (some people have a rough life, others just don't think they will get it e.g. think they are not smart enough, others are just working 400% and have kids), to accept the fact that they will just use tech and maybe don't care about the inner workings. But is that really a bad thing? Because that's exactly how they are built know adays, ease of use.

I have people around me that I want to explain basic things in life to, but.. even if they actually listen their previous argument float to the surface the next day. People need to change themselves.

In the other end of the park there's a big playground. That's where I sit and design the biggest sand castle I've ever built. I don't care that much about running around, I switch playground when I have too.

Each mindset have their pros and cons. I solve stuff that takes a bit of effort. My SO keeps our life/house running.

So respect and acceptance about others choices is a great way to let go of anger that nobody is interested in the things you are interested in. Finding someone with the same mindset in real life is rare, even on HN. How cool is that?

> I really do not understand people.

If you cared to, you could learn how.

Your mom and dad, or grandparents probably didn't need to know, even though they know how.

Most of their interactions were with local businesses, with people who, like themselves, were part of the local community. The unofficial grapevine worked pretty well for rooting out the good and bad mechanics, lawyers and florists. Your dad could change the oil, but almost certainly knew which mechanics could be trusted to have done what was on the invoice, and the few to avoid at all costs. Mostly if really was OK not to care, because they knew someone who did. The network meant something. Doubly so in smaller towns, and yes, small town life came with some downsides too. :)

That breaks horribly when recommendations are of global mega-multinationals, and most businesses on most high streets are national and international chains. A recommendation counts for nothing for a business of that scale, and an individual vote may be an employee you might never encounter again. The network means nothing, except as something to be gamed. Taking your custom elsewhere means nothing unless a million or two others do too. You have to care as no one else gives a shit about your interests, just the sale or commission. Except precisely none of us have the time for that.

If we want the benefits of larger scale business I think we need to start giving them some responsibilities too. Like a duty of care in law as exists in some areas already, but further reaching to consider the public interest as a priority. Without something the power imbalance is impossible.

Without constraint, large business takes the piss. It's time for some constraint. Then maybe we actually can depend on each other again.

My dad was dealing with international teams to manage semiconductors manufacturing at a global mega-multinationals. His dad was the trustworthy mechanics though, that's why he ended being good at cars repairs :-)

I am the one living in the countryside not far from a middle-sized city. I do know, from local community's word of mouth the reliable and cheap mechanic and florist.

Don't fell in the fallacy that things changed globally because you moved from one place to another ;-)

Tracking reputation has never been easier. If you are interested in it, that is.

That's really the point of success in business - it gives you the ultimate privilege of hugely decreasing the odds that you'll be held responsible for damage you cause to others.

Occasionally the wheels come off (maybe literally) and someone with significant power ends up in jail. But realistically - how often?

Which is why software security and quality aren't a thing. There's no pressure to do the job properly and plenty of incentive not to.

> There's no pressure to do the job properly and plenty of incentive not to.

I won't name names, but doing some work for some company in IT security space once, I learned that one of the issue they faced in sales is that the product cannot be too good - because if it points out to a possible vulnerability and then that vulnerability gets exploited, the customer may be on the hook financially and legally, as the software could prove they knew about the problem and didn't address it.

And now I need to go check my blood pressure again.

Worked in enough safety-necessary environments (military weapon handling, warehouses, shipyard) that the very idea of deliberately whitewashing a possible failure just makes me angry.

Lessons learned briefings were some of the best OJT I ever had.

I'd have filed CVE's on whatever they told you to leave uncovered and damn the consequences.

(I've also never been in a place where I could afford to be let go, so YMMV/MMMV).

> The network means nothing, except as something to be gamed.

Thank you for this insight, particularly the concise manner in which you have articulated it.

This I don't understand.

You are interested in economy and politics, yet you don't know how to file taxes. Is that not connected?

If you understand mechanics, yet can't do maintenance on your car, not even talking about fixing anything.

This level of theoretical knowledge that can't overreach to reality to do basic tasks seems just irrelevant to me. What is it good for apart of talking about it?

General curiosity in some topic? I can talk quite a bit about firearms, ammunition etc. yet I never owned a gun, shot altogether maybe 5-8 rounds in my whole life (apart from BB gun).

I like watching youtube channels like Demolition ranch or Iraqveteran8888 for their technical expertise, viewpoints and just fun. Without any real expectation to ever own a gun to expand on this knowledge. Maybe some nice bow one day (which these channels don't even cover).

Don't expect everybody acting rationally all the time, considering cost/benefit against all activities, or similar.

Is somebody who watches people draw in their youtube channels interested in drawing, or in watching people draw? I'd say it's the latter.
Are the billions of people who watch sportsball even capable of playing whatever variety of sportsball?
That's my point - they're interested in following others play the sport, not in the sport itself.
I could not figure out an argument without sounding too confrontational toward you or OP, so sorry :).

But if your knowledge can't fulfill your need in same field, what is that knowledge for, or is that even actual knowledge?

People like to satisfy their curiosity. Think of the average tabloid at a newsstand. It provides some provocative information, but it's the curiosity of the details that drives people to buy them. Is it going to improve their life in any material way? Probably not.
There is joy to be had in just learning something. For some people, the knowledge is its own reward. Other people see knowledge only as a tool to achieve things they want.

Based on your respective comments, I'd expect that the writer of the grandparent comment is the former type, while you are more the second type. Both are fine.

There is nothing wrong with doing stuff just for fun.

There is nothing wrong with being focused on just few issues.

But I have doubts when you claim some knowledge without being able to use it practically, which is what I see here.

If I'd say I'm jack of all trades, as I'm interrsted in software - but i hire a guy to make all the code for me because I don't know how - and that I'm very interested in knives - but my wife sharpens our knives as I don't know how - I have doubts about your actual knowledge if those fields.

You are reading this wrong.

Never said he couldn't change the oil on his car, just that he never bothered to. Didn't say he couldn't do his taxes, just that his wife takes care of it.

(comment deleted)
I can't respond directly to kissorgy because of shadow ban I guess.

Anyway, yes the author says we are worse today, but keep in mind that we "just" connected a few billion devices. It will take a massive effort to get that fixed properly and keep all up to date security wise.

Nevermind that goverments wants to ban security in some places.

> but keep in mind that we "just" connected a few billion devices.

Yes exactly this. Information technology has improved at a totally crazy rate, and I think it's unrealistic to expect safety and sanity to keep pace, The internet has only been around for 30 odd years, and getting all this right takes time. To examine another technology, the automobile was invented in 1885, seat belts were invented more than 60 years later, and it was another decade or so until they were made mandatory for new cars (in the US at least).

And users should not need to care (too much). I drive a care and while I know some of the inner workings of an ICE, most people who drive do not and that's FINE. The car is a utility that people just want to work.

Why is software expected to be different? Why should it be? Why does your grandma require a basic understanding of password security anyways?

> If I click this button, this websites loads.

As a user of technology, I want the exact same thing. I'll do research to build a PC, or install a new OS, and tinker with it until it works to my satisfaction. Then, I never want to touch the internals again and I want them to just work. I get very upset when my product stops working.

Same for cars, cell phones, computers, etc.

As software devs, it's our job to make this possible for users.

Why would you need an InfoSec if security was a solved problem?

By the way, I totally understand where they're coming from, but I've realized that as an engineer in enterprise, your job is to fix things that are falling apart. The more senior and talented you become, the more broken the things they want you to fix become. That's literally your job!

They're not going to pay you to admire the beauty of something without issue that meets all requirements.

Join a night college and acquire new skills;
If you work in security, this resonates so much. No one really cares about security except to check a box or pay lip service to it. That's why so called security products ship without logging and clients don't want to make the smallest effort to enable you to improve their security. It's why companies that sell security products invest more in marketing than the product. The industry is full of conmen and marketeers. Information security can be great though if you find someone that really cares.
I work as a contractor for a bank.

A few months ago everybody was up in arms about a "major" security issue discovered by an auditor (you could see the settings of random users by changing an id in a url). I've just shown them you can credit money to your account, yet this is low priority and they provided a fix that I'm 100% percent sure didn't fix anything, unfortunately the functionality is down on all but the production environment. I'm tempted to just credit myself 1 monetary unit in production and just show them the statement.

Sometimes it matters who finds the issue more than what it is....
> I'm tempted to just credit myself 1 monetary unit in production and just show them the statement.

I would be tempted too, though I could bet that this will be a termination of an employment, instead of the problem being fixed.

I would like to be proven wrong on this speculation..

Not just that, I would expect criminal charges to follow.
Yes, that's what I thought as well.I'll just have to suck it up until the test environments are up again and provide a proof of concept exploit.

I'm just impatient because it's a really clever and somewhat complex hack that challenges some multi-threading and transactionability assumptions some people mande and I can't really talk about it(which I'd love to share with my peers).

(comment deleted)
Raducule, did you did CYA (cover your ass)? E-mail(s) to higher ups responsible in case of a fuck-up that most likely will happen in the future? Do it now if you didn't, or "wave and smile" if you did. Let them burn if you are ignored, no longer your problem.
Debit yourself 1 monetary unit, and then say you could just as easily credit money.
Not to downplay the issue in question, but you have to be realistic about prioritazation. An exploit of "if I change variable in URL I can see other people data" trumps "if I make multiple concurrent requests with specific input I can give myself monies". I guess not by much, depending on the complexity involved and the know how required to carry one vs the other. Another thing all together is who reported the issue - sometimes it's more of a PR experience, depending on the company
Never to yourself. Maybe to a board member. Or all of the board members. But that's a big maybe.

And make sure your contract covers your ass, under production system testing / penetration, or something similar.

I could only exploit this for my own account, and there are only money involved, if it was human lives at stake, I would not have worked at anything else until the issue was fixed.

The bug that lead to me discovering the security issue was mitigated by another developer, the security issue was also deemed fixed, I am 100% it was not, but there's no way to proove it at the moment, except u production, that's why I said I was tempted to actually do it.

Anyway, there's nothing much to gain by me by antagonising another coleague, the management or the bank. It's not worth the ego boost or frustration scratch, worst case scenario, I don't patch the issue in time and the bank looses money and they start taking security more seriously.

You'd get much less reprimand if this information was somehow leaked to someone else who then was stupid enough to do it, although to avoid any legal "abetting" you'd have to have some actual documented cya saying "don't mess with this broken feature".
I don't have any ill feelings against the bank or the management, it's just a stupid setup where the local prophet gets ignored, we are swamped with bugs, new business features, new regulatory features, outdated devops, a lot of teams scrambling to catch the monthly release, understaffed qa, non-functional test environments and so on.

I can understand every piece of the long string of factors that lead to this ridiculous situation where such a serious security issue is not being addressed; any one in particular is not ridiculous, but they all compound to the ridiculous of the end result.

I've fixed another ridiculous security issue in the recent past without making big waves, where only one software architect understood the seriousness of just one option in a maven config file(a whole declarative security module was not being weaved into the bytecode because somone added another module and instead of both being applied, only the most recent one was being applied).

That might be true, but hacking without explicit consent is a good way to get fired with potential jail time.
I've heard from someone selling security products that some companies prefer to pay ransonware to a hacker, instead of investing in building up their defense and paying for security products
The easiest security investment is to switch your shop from Windows, cutting like 98% of threats out there cold.
As well as cutting 98% of your workforce as no office employee knows how to work on anything different.
> As well as cutting 98% of your workforce as no office employee knows how to work on anything different.

Techies repeating this should take a lot of the blame for why Windows still sell as well as it does.

A 50 year old electrician convinced me to start using Ubuntu 13 years ago after someone at his kids elementary school or something had told him.

UX wise Linux passed Windows in many areas around the time Ubuntu was introduced.

The only reasons now are prefererence, hard dependencies on Windows only software, stubbornness and incomptence.

Only the two first ones are good reason in my opinion.

> UX wise Linux passed Windows in many areas around the time Ubuntu was introduced.

Is this something you decided on your own was a fact? If I disagree, would I be wrong, stubborn and/or incompetent?

Probably under stubbornness. Whatever good things Windows has going, it's not the UI.
I didn't say that. I disagreed with the statement of fact that Linux had passed Windows UX-wise in many ways around 2004.

Also, I wouldn't conflate UI and UX.

So would a few areas be true for you? "many" has ben true for 25 years for me and 15 years for many end users I know. UX is very much an opinion.
> UX is very much an opinion.

I'm certainly not going to object to you having that view, but if that's how you see it then it's not a very interesting discussion is it? Would be like discussing whether the Beatles were better than the Rolling Stones "in many ways".

For what it's worth, I believe you are very wrong. But I understand and kind of appreciate this view, largely because it keeps me employed.

I've worked in the field as a professional since around that time and as an amateur since 1995.

Things Linux did better at that time:

- installation experience, os: installation of a "pre-installed" Windows laptop could take up to 4 hours before you had finished completely.

- installation experience, additional software: I was good at removing Windows spyware and adware back when that was a local problem. Never had any Linux user with that it problem.

- driver issues: 50/50, since around that time hardware would mostly "just work" unlike Windows were one would typically, again at that time, have to hunt around the Internet or dive for the cd. Reason why Linux don't win hands down was because if something wasn't supported it would often be a dead end until next distro release, sometimes longer.

- end user support, other ux issues: the same, which means Linux probably win with a comfortable margin since Windows had the benefit of everyone "knowing it" and still didn't come out way ahead.

- in addition Linux typically is faster, even to this day, which is a huge issue with some users.

You might have noted I wrote in many areas, not all.

For users who earn their livelihood with Autocad and Photoshop I'll have a hard time recommending Linux. Same goes for people who have tried Linux for a few weeks and still don't like it. It might be preference or it might be stubbornness, I don't care.

But blanket statements like the one I replied to:

> As well as cutting 98% of your workforce as no office employee knows how to work on anything different.

is just plain wrong. The fails here are mostly related to other issues, not dumb users. (I really don't like that idea that all users are so stupid they cannot change adapt.)

And of your productivity for those tied to excel, word, and powerpoint
this. I think most office workers couldn't care less if they run Windows. But they know those Excel hotkeys as well as any Vim hacker knows the escape key.
As a vim to excel user I’ve always wanted to create an addon that maps vim hotkeys to excel. My only fear is that I’d get too used to it and not be able to use any machine that I sit down at.
LibreOffice.
LibreOffice has come a long way, but retraining thousands of employees is impractical.
That is as they say "a brave choice"
My job switched completely to GSuite a year ago, management first.

If anyone needs Excel they get it.

So far I've spotted I one person that probably uses Excel. No complaints that I've heard or seen.

Ah so how do you handle working with external people who use excel.

Most of my work with a wildly spread organisations and we can have excel go through US to Russia to Uk Back to Ukraine and then back to me in the UK

Those products in Wine. Google web, office 365, libre/open office, atom/sublime, vim/emacs.
Most of the workforce would have little trouble working on Macs or using Office365.

The actual friction will come from Windows sysadmins with no other practical skills.

I agree with the sentiment but this is probably not the case as a sysadmin hardly has any say in this usually. (I've been a sysadmin at software companies for 10 years.)
So much this. The problem is mostly that this requires executive buy in, and clear explanation of the cost shift associated. Then, even after executive buy in, you have to guard against CISSP "windows on everything" saboteurs who know the C-speak better than you do, not to mention the people who want a vendor product for everything instead of just using industry standard FOSS tooling. To me, there is a lot of market opportunity here, but the MBA side is behind and so the implementation is lagging.

This is why I think one of the key things is in stack standardization (choose best in class foss tools that match requirements, for example, I personally have a gpl or gpl compat requirement), and stack size reduction (which means you don't need every fancy sounding tool that you hear about, make sure the use case is justified first).

People have such a stockholm syndrome relationship with MS (and proprietary sw in general) it's absolutely sickening. For example, I think educational institutions should be teaching and using FOSS first.

Some will whine about no one using linux or not knowing how, and one response I use is "you had to learn how to use windows too, and even it changes things up, just look at 7 to 8/10, so why not learn to use gnu/linux and free yourself from MS?"

I'm studying infosec, so I lean on the "pay for infosec people" side.

But from a company's perspective, if they have to pay 1M for an infosec team over five years, or 1M for a breach once every 5 years, what's the difference? You're still paying the same amount of money.

And then Equifax gets breached.

When does infosec start to realize that it's not just about company costs/risks, but the lives of all those users who are going to get screwed when your 'low risk = cheap fix' mentality pays off?

I'm in the Equifax breach (like sooooo many more)... part of my 'general concerns about the world' is whether/when I get my life hacked and have to rebuild.

Let me know where you get hired next, so I can take my business elsewhere.

Corporations do not care one bit for

> lives of all those users

Equifax cares about one thing: earning profits for its shareholders. They got caught with their pants down. Now other companies can look and try to estimate their expected cost of being breached (probability of being breached multiplied by the dollar cost) vs the dollar cost to upgrade their IT systems, infrastructure, management, company policies, etc etc etc. Realistically, Equifax is probably incapable of doing the necessary changes upfront without a complete overhaul of it's people and leadership structure.

The vast majority of companies will spend the least amount of money possible to pretend that they fixed the problem.

You want companies to care? Then create regulation that protects

> lives of all those users

(comment deleted)
Perhaps they consider that the employees will be way more productive without all the security barriers that the Infosec team would set up, so paying for the breach is a net gain in this light.
You will be paying more for the second breach and paying once will get you put on the sucker list so others will see you as a easy mark to hack.
Conversely, in a lot of industries the security department is only there to prevent you from doing everything you need to do, even if the threat and attack surface are both minimal.
Agreed, too often security people are incentivised to make a massive fuss over tiny issues, and then often don't seem to understand that security is just one of many requirements needing to balanced
So much this. In addition, these tiny issues are often purely technical in nature. I still have to meet the first security engineer who is able to identify informations security risks at the business level and view vulnerabilities in their proper context.
So true! Security people think the end goal of the company is a secure system. No. The end goal of the company is a product that customers want to buy. And it's hard to build said product when security hinders you at every turn.
(comment deleted)
Bro (or Sis? :) )! They're not supposed to care about security, you are! Our job in infosec is to show others how insecurity affects what they care about so in order reduce,transfer or eliminate risk to what they care about they allow us to implement good security. The failure is on the infosec side of the equation.

It confounds and mildly pisses me off when people get pissed and get burned out over suits not caring about infosec. I mean,they care about promotions,reputation,bottom line,ROI,KPI,etc... That's what they do. You know why the marketeers and buzzword snakeoil salesmen prosper? It is because they communicate not only risk but especially [fake] solutions better! Infosec is full of user and management blaming, expecting peoppe outside of software developers and infosec practitioners to care about infosec. I am not saying I have it figured out but I am fairly certain users and decision makers need to be told solutions within the context of risk that affects them. And if it doesn't affct them they're not supposed to care.

I'll give you an example, a network is filled with tls1.0,and ssl1.3, how does that affect some mid sized company's bottom line or reputation? How do they get ROI on the man hours and resources spent to upgrade everythig to TLS1.3 with proper cipher suites and key exchange? and what KPI can they use to measure efficiency of resources? How will you tell them security hygeine takes a very long time to show ROI as do many other security concepts?

You don't really have to do all that if you don't want to, plenty of skill demand to where you can progress to more exciting positions.

This is what happens when companies don't understand security.

https://www.csoonline.com/article/3410278/the-biggest-data-b...

You think a million a year is expensive? It's not - not if it's saving you a $200m fine, and possible class action damages.

The trick is, how do you estimate risk of such problems in a particular company, in order to provide the suits with an expected dollar figure?
It's tough for me to think that Yahoo! didn't "understand security," and yet, their entire user database was ganked. I have to assume that they were doing everything they could to implement all of the white paper suggestions and consulting recommendations they could get their hands on. I also presume they were running the largest, most-expensive "security" products that they could buy. The depressing thought that struck me at the time was: if one of the biggest web properties to ever exist couldn't figure out how to secure their database, what hope do the rest of us have? (Maybe I'm being naive; I've never seen a disclosure on the nature of the intrusion.)

All of this sort of thing leads me to think that there is currently a huge mismatch between the security products industry, and how companies implement all the conflicting white paper snake oil, and what the ACTUAL vulnerabilities are. And I know how stupid this mismatch winds up making the average Fortune 500 worker bee's daily life. But that's a topic for another post.

Pretty much.

I think it's difficult but there's almost no doubt that Yahoo would have people who understand the problem with security. The problem is, were they, and did they have the power to reign this in at scale?

All too often, you get risk people buying products then asking for all your logs, promising the easy silver bullet. Being a pessimistic engineer, you're unlikely to ever be near a leadership position with people who want easy answers.

The problem is, the person who refuses to understand this, typically includes the senior guys in InfoSec who own this, and will continue to do so irregardless of how you present it.

I mean, who else is buying a SEIM, asking for all logs, and then hoping it'll take care of everything? That's the CISO, Director, VP, Head Of, etc.

I did work at a major cable company building customer premises hardware about 5 years back (the only reason I'm sharing this story). They were alerted to a major, easily exploited and REALLY stupid vulnerability in their system that exposed their core management network for the product to customers. They just hired the guy who reported it then fixed the problem 6 months later. The short-term mitigation was to put passwords on all their database servers (they were not there previously).

Security was just not a concern until they had a major breach. The security teams had been screaming bloody murder for a while, but could not get the product teams to allocate sprint bandwidth to the massive, coordinated security hardening effort that needed to happen to prevent a potential headline in the New York Times.

Why doesn't legal have to fight the same fights? Their domain seems similar: Legal problems take years to surface, and when they blow up, they explode spectacular. Implementing procedures involving legal is a huge drain of time, motivation and opportunities. Yet, in many companies the power dynamics is inverted: Anything non-trivial has to go through legal and is blocked by default. Why don't new deployments have to go through security?
It's a great point, and largely due to legal teams speak a really similar language to business teams, just looking at it from different sides of the same apple. As nearly every company goes digital, security can fall in that same legal bucket.

Why does legal succeed then? Partially, there are pretty firm laws covering risk, that haven't quite caught up to sec breaches and such (but this is clearly beginning).

However, the big reason: Legal can explain the 'so what' because of that shared common language. Sec folks seem to largely not bother learning how to translate tech jargon to 120 seconds and a power point slide or two that business can understand.

> Why doesn't legal have to fight the same fights?

Legal constantly fights the same fights. They get those systems put in place because they acknowledge that fighting these fights is a critical aspect of their job and they make sure those control points are in place. Before I became an InfoSec PM I consulted for legal departments to fight those internal fights for them. They’ve had decades to refine and develop best practices around how to do these things.

Also places where everything is blocked by default by legal are generally badly run legal departments and have plenty of handshake agreements and covert business activity going on the same way places with intransigent and uncooperative InfoSec or enterprise architecture ends up with tons of shadow IT. They’ve been moving towards automated review and self-service tools to speed things up for a while now.

Yes, nailed it.

Mgmt/non-sec care about pretty clear, often profit-oriented metrics (ROI, etc.). There is such a clear precedent for successfully internally selling, implementing, and creating buy-in for cost-producing (i.e. infosec) but business-saving practices. Insurance, financial risk departments, legal departments etc. etc. etc. Sec can fall under that too. Sec people don't bother to learn the language 90% of the time. Sec people then burn out because they feel they're paddling nowhere.

Failure to learn that ^ language as a sec eng, means you fail to learn how to successfully implement sec in a way that has lasting buy-in. It's doable. It takes a bit of leadership, a bit of buzzword-learning.

If you want to play ball with mgmt and not be a mindless keyboard monkey sec eng who has no care if people care about sec or not, you must be able to take all those sec thoughts, distill it into 3 power point slides and 120 seconds of 'so what,' and be ok doing it over and over.

That sentiment reminds me of how most people think of accessibility.
I like that at least you have a plan to do next lol
what if I tell you that a software banks (B-A-N-K-S) are using to transfer money has hardwired passwords inside, has to run as administrator and has some problems of command injection, etc, etc ... etc ? Sadly company think to security as a cost and to maximize the profit let people should never approach a keyboard to write programs, unsecure programs, because they cost less. Because also testing is expensive, same story. Did a big airplane manufacturer does the same ? The customers ? Who takes decision often doesn't care: they prefer to spend more money to purchase a scapegoat, a "silver bullet" appliance so that they can say "Hey, we had all the contromeasure, but hackers know black magic !". I don't want to burn-out. I prefer to give the correct information to the peoples want to listen and then I hope in a future in a better company.
I assume English isn't your first language, so this is my attempt to correct. Please don't take this as a criticism, but rather as (hopefully) helpful feedback. Even with English as my native language, I'm sure there's some grammar mistake I've made as well.

____

What if I told you that the software banks are using to transfer money has passwords hardwired inside, has to be run as administrator, has some command injection problems, etc.? Sadly companies think of security as a cost and to maximize their profit, they let people who should never even approach a keyboard write insecure programs because they cost less. Because testing is also expensive, it's the same story. Did a big airplane manufacturer do the same? Their customers? Who makes the decision often doesn't care. They prefer to spend more money to purchase a scapegoat, or a "silver bullet" appliance, so that they can say, "Hey, we had all of the countermeasures, but hackers know black magic!". I don't want to burn out. I prefer to give the correct information to the people that want to listen and then hope for a better company in the future.

____

Thank you ! Yes it isn't my first language and I wrote the post going at work, on a bus. So no time to review it.
A buddy of mine works in security and I can see him writing this post, haha.

Or did he?

Anyhoo, I cannot imagine working in a technology field and not being allowed to do your damn job. Sounds frustrating af, I’d quit too.

Basically everyone wants security, but nobody wants to pay for it.

Maybe the market equilibrium means people don't get hurt enough yet.

And in my opinion, having done some IT security work, it seems to be a relatively miserable field, even if the salaries are going up.

Miserable in the sense that customers don't care, you have to be paranoid and brilliant at the same time, it can be weeks without an emotional payoff, yet everything is always urgent but rarely important.

Having watched some conference videos on the topic, the bro-toxicity is still strong in that field, too.

You are not pissed off, you are burned out.

When all the people around you are fine and you can't cope with the environment, it's time to look for professional help, for your sake.

I don't think he/she is burned out. When you are burned out you can't do anything anymore. Then you are way over 'being pissed off'.

But! being pissed off at work is a very good way to get burned out. Most people who are burned out are having conflicts with their moral and what they do or how they live.

So good for the author to make this clear to his boss and is taking action. Because in the end being mad will turn into being burned out.

Por que no los dos?

Burnout is complex and seems to have multiple causes. But chief elements are 1) being overwhelmed and 2) having no sense of agency or effectiveness.

Being in a situation in which:

1) You have clear view of the problems.

2) Others around you deny they exist, and/or

3) Actively prevent you from addressing them, and/or

4) Fail to provide you the tools, time, staff, authority, or other resources to address the problem(s), and/or

5) Act, operate, or produce / deliver products in ways that are completely insufficient to the problem domain

6) Or other forms of denial, frustration, sabotage, etc., of an effective response ...

... I think that someone in such a situation would become both angry and burnt out.

In fact, I could empathise quite strongly with such feelings.

You are not pissed off of your work. You are pissed off of yourself. You are not complaining because the work is wrong, you are complaining because you are angry within, and you believe it is not your fault. You are not taking responsibility of your emotions as you are supposed to and as taught by all the masters of wisdoms. Go back home and rethink who you are. The world is not changing for you unless you change yourself. You are losses off because you are seeing an imperfect self everywhere .
This type of drum circle commentary is so unhelpful.

Raising the bar for security in the software industry requires much more than just self reflection and elbow grease from individual engineers.

The solution requires buy in from all stakeholders. Especially management.

We are not talking about the same problem. Yo are not seeing the fact that it is only you who are responsible for what’s happening inside you . And you are taking the wrong path fixing that by fixing everything else but you.
Agree to disagree.

Anger is quite useful.

Hmm. Anger is a byproduct of fear. Fear is a signal.

Victory achieved with the power of anger will not last for long?

My suggestion is to take distance towards things that keep us busy, stressed and angry.

This usually reduces the stress levels so much that some of the healthy and objective thinking capacity is gained. Can take some time though. Weeks. Even months. There is time!

In many cases we'll find that there indeed was something which is "side railed" within. And other things which are less than optimal with the outside world too. =)

Both aspects are equally important from our individual perspective.

What is inside we have better control for (though sometimes it really requires effort and patience to change even these things).

What is outside we can possibly start to bend according to our vision.

Before we start to bend outside, it would be good if we are clear within.

All that being said - This indeed can be the moment from which things start to turn to much better direction in so many ways. So perhaps even anger has it's purpose. Not as a tool, but as a initiator.

Godspeed!

"Yo are not seeing the fact that it is only you who are responsible for what’s happening inside you ."

This kind of pop-psych babble is naive and abusive.

Blame the whole world, why don’t ya
That's clearly the only other option.
A slightly different take would be: check on your expectations.

Make 3 columns (for a start) : 1/ Explicit your expectations of the world. 2/ State what you see. 3/ State why you think things are this way, and how you could contribute to change them.

Putting this explicitly might transform anger into contemplation first, then understanding (of the disconnect, of the possible courses of action).

Then use this table to discuss this with people that could help you doing so.

> I'm pissed off at the state of information security [...] I'm pissed off that our tooling is falling behind. I'm pissed off that my clients don't seem to take it seriously

Information security, like physical security, isn't something people want to have to care about or put effort in, and if they don't want to, they often won't. What you should be pissed about is that clients have to care and it isn't applied transparently. When being insecure is more difficult than being secure, then you'll find the mindset shift. In the meantime, you should be pissed off at those that make security difficult, not those that care less to endure those difficulties. I know some of the post addresses vendors, but the rest concerning your-company software and vendors is misplaced anger.

"A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one."

No one in management wants the expense or the overhead of actual security. They want the "theater" of security, the good feeling, the box to check on their resume (as management) so everyone can pretend everything is fine and go back to the business at hand. Then something real happens, a leak of user data, or credit cards or internal memos... suddenly everyones job is security and no one knows what to do. The last problem gets solved, there is more "theater" and a few quickly forgotten changes that get worked around or just ignored in the long run.

Furthermore your average engineer wouldn't eat a ham sandwich handed to them on the street by a stranger but will happily run code from 100's of other people on their servers with out even looking at it. Note: I too am guilty as charged. Sure you can vendor it, and miss out on future security patches (it was already broken). Or you could just pull it from whatever repo you got it from to begin with and pick up new flaws. Never mind the fact that pulling from random places assumes that all those other chains of trust remain un-compromised.

Management and Engineers should be the ones most concerend and most thoughtful regarding security and both seem to ignore it for cost and convenience reasons till it is (far too late and) a REAL problem.

> Furthermore your average engineer wouldn't eat a ham sandwich handed to them on the street by a stranger

We would however eat one provided by a café that our colleagues recommended.

That's true, and a good point, but a big part of that trust comes from the knowledge that no one can run a café without some kind of oversight and inspection on food safety.

I probably wouldn't eat a sandwich from a bootleg café.

I would if the alternative was to grow all my own food.
Or one from the company cafeteria. I’m not sure if this is the point you were making, but trust, insight and ability to get things done is quite different when working internally in an org versus working with an outside-org, and it’s a big deal.

My biggest burnout was when internal teams I worked with started to feel like external teams. That was more about engineering teams but another example: I strongly discouraged internal IT from adopting vendor/client language and mentality.

Relationships like that put them on the back foot, become defensive, and when you encounter problems the sense of being able to honestly ask what’s actually going wrong here? evaporates.

> B, multiply by the average out-of-court settlement, > If X is less than the cost of a recall, we don't do one.

Pray tell - what do you propose? Keep fiddling until no one but government officials and high level executives can afford to buy or rent a car?

> No one in management wants the expense or the overhead of actual security.

Wrong. Almost no one wants (and can afford) to _pay_ for the cost overhead you're (completely subjectively) implying would be sufficient.

This fantasy thinking has been going on ever since Ford Pinto, as if safe cars aren't available and everyone is forced to buy unsafe cars. Is there a law that bans Benz or Volvo?

> No one in management wants the expense or the overhead of actual security. They want the "theater" of security, the good feeling, the box to check on their resume (as management) so everyone can pretend everything is fine and go back to the business at hand. Then something real happens, a leak of user data, or credit cards or internal memos... suddenly everyones job is security and no one knows what to do. The last problem gets solved, there is more "theater" and a few quickly forgotten changes that get worked around or just ignored in the long run.

The incentive is that if every box was checked and shit hits the fan, insurance is on the hook to pay for stuff and not the company or the responsible party.

> If X is less than the cost of a recall, we don't do one.

We didn't take into account loss of sales and reputation, the equation is not (should not) be that simple

For those who didn't get the reference:

The OP is quoting Tyler Durden, a fictional character of the movie 'fight club'. So take it with a grain of salt.

Or, take it for what it is, a quote from a movie.

But don't dismiss the merits of the idea. It's essential Risk Management[0], which is most certainly a relevant part of Information Security. Specifically, this is a form of Cost-Benefit Analysis (specifically, Qunatativie Risk Analysis[1]), a critical component in proper Risk Management; the reality is you cannot "fix" every issue.

Take a look at methods like Single Loss Expectancy[2] and Annualized Loss Expectancy[3]; you'll find that the Fight Club quote is very close to the real-world methodology. I cannot speak for the Automobile Insurance industry, but given Insurance is founded in Risk Management, it seems likely to be closer to reality than not.

[0] https://en.wikipedia.org/wiki/Risk_management

[1] https://csrc.nist.gov/csrc/media/publications/conference-pap...

[2] https://en.wikipedia.org/wiki/Single-loss_expectancy

[3] https://en.wikipedia.org/wiki/Annualized_loss_expectancy

Fight Club is referencing to a real document made by Ford, the "Pinto Memo"
(comment deleted)
The quote is resonant because anybody with first hand experience with the way "corporations" think internally about such matters KNOWS that this is EXACTLY how it plays out.
Almost everything anyone does in business, as far as I can tell, is dramatically optimized for speed at the expense of almost everything else.

This is a natural result of a very competitive market place and, as far as I can tell, its rational if you take that circumstance to be an immutable state of affairs. Its no good stopping to dot the i's and cross the t's if, in doing so, you get completely edged out of the market by a competitor who isn't doing so. And you haven't even made the world a better, safer, nicer place by doing so. You've just left the door open for someone less scrupulous to beat you with a shittier product.

The solutions aren't palatable in the current philosophical mode: much more aggressive penalties (corporate death penalties, for instance, in which shareholders literally lose all their money) or much tighter and well enforced regulations. Move fast and break stuff truly is the philosophy of the day.

If you don't want to break stuff, you have to make moving fast less competitive. As far as I can tell, that's the only way.

>They want the "theater" of security, the good feeling, the box to check on their resume (as management) so everyone can pretend everything is fine and go back to the business at hand.

And don't forget the universal elixir that cures all security ills: adding even more rules about which passwords are allowed.

Make sure you change your password every 30 days, too. That way I have to write it down, or use a sequential password just in order to be able to remember it.
No worries, though: if you forget your password you can just call up IT and get it changed to "welcome1" :)
"Your password is too similar to one of your previous 24 passwords" -- an actual error message I've gotten before.
Google started doing this. I spent an hour changing my password literally 100 times to clear their cache of the password I intended to set. It's insanity.
The biggest checkbox in any project/contract/initiative is the one marked "Plausible Deniability." Mgmt often goes by another dictum "Success has many fathers, failure is an orphan."
This guy needs to understand his place in the workings of everyone around him, just like his product's place in the workings of the products around it. If you provide a product with a function that is transparent to the user unless it breaks, then they're going to place their priorities where the needs are most obvious and rewarding. The people who use his products have jobs with focuses are something other than his security product. Their priority will always be on what they have to do to earn their money. A corollary to earning money is saving money. As far as the product never arriving at its ideal function goes, the products that his security products serve will always evolve, so his product will always have to change with them. You can only let these things get to you so much. Source: I was responsible for the surgical equipment for a hospital. You want to see reality avoidance and cost-priorites get ugly?
Don't you think that most of your clients being breached is immaterial in the greater scheme of things?

You seem to be bothered by the "overall picture". I am also prone to this sentiment (not in infosec though) but I am actually consoled by the sort of nihilist nature of things. Maybe even optimistic for being so. I think the stuff that keeps us happy are minutiae.

If you are super keen about APIs then maybe building really sensible APIs along the way will bring you the relief of having something stimulating to work on. At the moment I get a lot of satisfaction from tooling vim to be my super-IDE and everytime I use vim now I get a kind of wry happiness from not having to use all kinds of apps and what-not. I think APIs can be super interesting and useful. For example, I wanted to pull the Bitcoin purchasing history from a site and the answer was... you have to use Golang.

I also get a sort of satisfaction from using Perl in this way. (I use Python too.) It's just that all kinds of wonderful gems were once written in Perl by people that were clearly bored with their lives (exiftool comes to mind).

I don't explicitly work in security, but I've had a handful of arguments in the past where I've discovered a serious vulnerability, and been told either by my managers or by a client that it is low-priority.

Sometimes, the vulnerability was then exploited, and what shocked me was that people were okay with this. I won't name names, but one marketing department I worked with was happier to suffer a customer data leak over having to spend budget during the end of the year to fix the issue. I later learned that the IT department got in trouble for allowing the error to happen, when the system was entirely managed by us and our sole point of contact was with someone in marketing that left their position because they didn't get on with IT.

If there's one thing I learned, it's that the ultimate currency in business is risk, and that the software/IT industry lacks the power to really do anything when a company is found to be negligent. For many, the risk of "being caught" is worth not spending money on preventative issues, and ultimately there's absolutely nothing we can do about it outside of covering our asses when the finger is pointed our way.

You only need to look at the Panera Bread security breach to see that all the badmouthing on Twitter did nothing to stop the company from painting its own narrative. Hell, the WordPress theme/plugin company Pipdig was caught ddosing its rivals with their software, and all they had to do was lay low on social media for a month and lie in a blog post. The worst part was that their non-techie customers were all too happy to back them up, meaning that the WordPress security community had zero clout to really do anything.

I have the utmost respect for anyone that works in security, because you're fighting a battle that no one wants to win, and is often a battle where it feels your partners are silently rooting for the other side.

That's why EU laws to punish such negligence are a good thing. They increase the risk for companies, to something very specific.
I'm in the UK, so all of these companies are either primarily based in the EU, or do business here.

GDPR has put some fear back in, but even today there are loads of companies that simply don't give a shit, and will happily risk it all so that they don't have to adapt their practices from years ago. In my experience, smaller companies are the worst offenders, because they know they are small fry.

Pipdig are a UK company, and have been actively caught using malicious code with proof, yet they're still running without a care in the world. This all happened recently too, so it's not like it's a pre-GDPR or pre-ICO crackdown issue.

I think CISOs are a bit more worried than they were before, but CFOs still refuse to pay for individuals. It's the old Capex vs Opex and random jealously that flies around the market, combined with a lack of skills that leads to outsourcing to consultancies that sell snake oil. It'll remain crap I imagine.
I worked at a healthcare company in the US (we provided HIPAA data connections between insurance and providers) and discovered all the production passwords were storied in a text file in the code repo half the company had access to. The CTO told me "we trust our employees". There was also no auditing on who access the DB and servers, and they never changed the passwords because the chief architect did not want to remember anything.
Did you work at my current company? Because that's Exactly what happens here.

Also, I'm so sorry you had to touch EDI, if you did.

I worked at a retailer (not Target) that did something similar. Once Target got breached in 2014, they mandated security training and began making changes to some things in the org. This was one - instead of storing those passwords in plain-text, they were encrypted. So people encrypted them, commited them into the repositories, and deployed the now encrypted files to production. Cool, right?

They didn't actually change the passwords, since that would break too many things at once. So you could just look at the git history to get the plain text password. Or debug the application locally.

Security theater all day. Sigh.

There's something both comforting and absolutely terrifying that everyone has similar stories of software negligence.

I would love to see a whistle-blower company formed, where you could report software engineering malpractice, and be compensated and/or protected from being punished. Not necessarily a union, but an industry body that could verify your security concerns and either "out" a company for punishing you, or provide you x months of work and a reference to compensate the termination of your employment.

Thanks for the essay. I’ve often seen, and myself felt the frustration of the productivity mismatch of having to work with other teams, vendors, and third party products that drag their heels, are rigid, or inflexible.

When your day-to-day involves writing code — putting together hundreds of moving parts in a code editor and shipping levels of complexity orders of magnitude greater than any previous era of the Industrial Age — it can be a real drag to get slowed down by things that aren’t code.

We have to work as teams of course, and it’s enriching when you’re all on the same page. People scoff at mission and statements and company values, but once you start working with an external vendor you realize the importance of the literal meaning of company. When you’re forced to work with something inflexible it’s ok to hack around it. It’s our bread and butter to do so.

But having to hack around things will build a sense of resentment especially when it happens over and over again, and in particular if you ever find yourself doing that to an internal product it can be a serious enough red flag to require some major org changes.

It seems a lot of people here find information security to be of utmost importance.

I would like you to consider a contrarian position. What if someone said cybersecurity (as in information security) is not very important? http://www.dtc.umn.edu/~odlyzko/doc/cyberinsecurity.pdf

Highlights from the article:

* we can just stop using computers to avoid security problems.

* Most criminals are dumb, so it doesn't matter that one smart one can control 80K people's computers around the world to mine Bitcoin.

* Data deletion attacks that cripples hospitals and governments is not a problem because they should have backups.

* Persecuting dissidents isn't a big deal?

I disagree. The contours of our world are shaped by the quality of our cybersecurity, to the point that it's the water we swim in and we just don't see it any more.

Some examples: The last US election was won in large part through highly-targeted influence campaigns run based on stolen data. Not to mention the triggering of Brexit. The influence of the NSA / Russia / Five Eyes / etc on geopolitics hinges on poor cybersecurity. I think it would be silly to assume all of the recent leaks we see come from "inside the building".

The entire economics and solution space of what is possible on the internet is shaped by our cybersecurity standards. What would the internet look like if payments and spam were easy instead of hard, or if DDOS was hard instead of easy? I might hazard a guess that this is one factor of many that drives the centralisation of tech into monopolies.

A positive externality: The general failure of the tech industry to develop good content protection has enabled widespread software and media piracy. I might suspect this has allowed second and third world countries to uplift faster than otherwise possible (sci-hub anyone?) while also removing a tool of empire from the first world.

Ah, syslog. Around 18 years ago I was part of an group developing the next syslog protocol with security in mind. My company (one of the top infosec firms at the time) had a product doing this already.

The standards group was a mess. Some other company without any credible security credentials was just forcing their bad implementation (TCP (!) and yet another protocol layer). They were backed by Microsoft and some other corporation. Cisco member just idling there. I ended up leaving as it was a waste of time. Never even bothered checking what happened with those protocols. But I've never heard of them again.

(tinfoil hat on) I think the Microsoft guys sabotaged it on purpose and succeeded.

Don't know about what group you're talking about but it ended up well: no need for a new protocol, just wrap in TLS with mutual cert authentication. TLS/TCP is fast enough nowadays that the overhead doesn't matter, and it saves you from having yet another standard.
But they did create a protocol with even more layers.

Also our solution did not need two way communication (as per TCP) but had encryption. This is key in a lot of infrastructure when you change environments (e.g. DMZ to some internal subnet). TCP and SSL were supported, too. Our software was used by one of the larges Unix installations and one of the largest telcos in the world. While theirs, not so much.

This post resonates very well with me. I am in the exact same position, possibly more frustrated because of our naïve attitude towards building security.