What a complete nightmare! I bet that most of that data is useless, and the Dropbox account is just used as a dumping ground for everything and there's no tagging, cataloging, or any sort of data structures.
My assumption, given the storage requirements for laptops, is that the actual database is 2-3TB is size and that the rest is archived snapshots of the DB.
Assuming that this database has been building up over the past decade, I'm in awe over how much money they must have spent on Laptop's in the early part of this decade.
It's probably as poster above says: each snapshot (sounds like it's DB + app instance or something, maybe a VM snapshot?) is probably > 1TB in size. If you have a 1.5TB image it would make sense to want 4TB storage so that you could have two versions locally at a time. Also explains how long it takes them to do things. Every time they switch versions they have to swap out TBs of data to pull latest. Because it also sounds like they don't have a way to grab just the diffs. They grab whole images at a time.
I remember as a freshman in college using Dropbox as version control for a 4-person group project. Even then it was a hurdle. Even with everyone sitting in the same room literally saying "okay I'm working on X nobody touch that file for a couple minutes". Jesus.
No, he said that they had someone to manually download the last version of each file. If they were really using git hosted over Dropbox they could have simply cloned the repo.
Is this a problem with tech? I imagine the users who decided to put sensitive data on dropbox are personally liable? Legal might have work to do? But i fail to see the tech challenge?
Can tech fix it by
1. Disabling the dropbox account?
2. Stopping dropbox urls from resolving in their lan if need be? Or blocking dropbox ips?
3. Buying a md1280 or similar storage quickly n put a freenas or similar on it?
4. Put syncthing or similar on all the user computers n this new nas?
Can tech just stop the dropbox bit n just set up sparkleshare for everyone if git is holding up?
If git is less than efficient..then syncthing, seafile would all work for their file sharing needs n r trivial to setup?
I think you missed the part where it’s not Dropbox as a file sharing solution that’s the only problem - their entire web app runs via Dropbox API calls from Heroku!
They probably started out with Dropbox "back in the day" as a way for shared access to things (eg employees in multiple locations), and never put adequate time into moving to something more appropriate later on.
Btw, it sounded like the "version control" mentioned wasn't git.
Maybe they're doing full copies of the application + data into a timestamped directory or similar.
As an employee, you are shielded from all civil liability and some criminal liability. Sure you may be named in a lawsuit but it’s because you represent the llc/Corp and your only responsibility is to forward the documents to your upper management/legal department.
Reminds me of a firm I worked for. They decided to adopt Google Drive for the team of about 20 employees.
Every couple weeks an employee would mistake the synced folder for their local disk and rearrange files or delete files and then the files would disappear for the rest of the company.
Then we’d have to go into the backups and restore the files and send a message out to everyone to hold the files they were working on before saving them to the drive again.
Yes, that's a total fuck up on their side as well. That an incompetent company dies while doing stupid stunts like that is understandable and how the market filters out stupidity.
That another company looks at it and thinks "Oh that looks fine", that's a total failure at their work.
Usually when you acquire a company you sign of some intent lettet that shows you are serious about the purchase provided they can pass your smell test.
Then after NDA's and a few other docs if a company accepts being purchased they have to give access to their internal docs. Finance books, IT, etc.
If during this "due diligence" period the buyers find a major red flag they might pull out, revise the price down, etc.
Having seen a couple of acquisitions what I see is that things go forward because the top execs are close and went to the same school and so on. The technical details shared are light and often don't matter until things are settled and the plebs have to merge everything.
It sounds like he's referring to the due diligence as part of the M&A.
Personally I've never seen one of these discovery phases bring back anything remotely close to real life. No random IT manager alive is going to throw his dirty laundry out to a potential buyer and potentially torpedo a deal.
Some of the things I've seen/found during my company buying spree since 2015 have been magical.
That's easy. Lies, misdirection, and the person doing the technical due diligence being a C-Level/Director with zero IT background but plenty of project management experience.
They know just enough to be dangerous and frustratingly useless getting useful information from. So your integration team has to do all the planning with only the foggiest idea of what they are getting into. They then spend the entire first day on the ground just getting the lay of the land. No time to schedule local cable contractors for the really needed cable runs. Let's hope that the existing CAT5 runs work fine on gigabit for the next few weeks till we can get those contractors in to replace all the wiring. Worse case, we'll have to limit the port speeds to 100Mbps at the new switch if retransmits become an issue.
Even more fun when the next project is even less detail but the entity you are acquiring is on another continent instead of a few states over.
Have been there for an acquisition that did not go as planned. Essentially on the small side you are very dependent on the disclosure of the parties involved; short of truly burdensome diligence processes you are sure to miss things if the company being acquired is not up front about things.
Sturgeon's revelation: 90% of everything is crap applies to due diligence.
I just remember two of our engineers had a gig, spent 6 months at $150/hr wading through VHDL and C++ code of some company that was being acquired. They also had to work closely with a patent attorney who was billing probably $500/hr.
It doesn't matter. The board and CEO will _never_ listen to the CIO and technical team. If they want to do an acquisition, they'll do it. I've seen this at least a dozen times in my 36 year career.
I keep coming back to from the board and CEO's perspective they have a choice, spend a lot of their time and effort to gain market share by investing in their own company. Or acquiring it through an acquisition.
Seems like an acquisition is a lot less hassle and risk. And can be done quickly. Most 'problems' can be made to go away by throwing money and fixers at them.
This doesn't always work, see HPE vs Autonomy. That case is incredibly interesting for an insight into how idiotic and lazy execs can be. Usually though, it works out for them, probably by luck. Would be, err, "interesting" if there were more Mike Lynch around to provide similar insight (Autonomy's CEO). Then again, the case is interesting as HPE was willing to litigate, and a certain British tech news outlet picked it up.
Based on my experience: IT was well aware it was insane. Alas, IT got absolutely no budget for fixing it from top brass, as kicking the can down the road always made more sense short-term
From the article, it doesn't seem to be the fault of the IT guys. It's more like some rich guy who goes out buys a shiny used plane and hands over to the pilot to use.
I worked for a small company right out of college and we had some monsters under the bed too. Unfortunately the manager would rather new code written than cleaning up technical debt or resolving risks. So I would have to double my estimates and use my “spare time” to try to work toward some level of sanity... but there were still plenty of things that I felt guilty about and would be evasive about if someone asked.
It is better not to take ownership of someone else's bad decisions. At the very least, make sure that you do not become complicit in something unethical or illegal.
It should be noted that the evidence that stress is a primary cause of gastric ulcers has been fairly weak since the discovery of H. pylori, though there is some evidence stress may be a contributing factor.
I've got ulcer. My last ulcer attack, 5 years had me rolling on the floor. Since then, I avoided stress. Ate at the slightest hint of hunger, even as I grew a pot belly.
Also, I avoided situps, cos the muscle pains felt like ulcer attacks.
There's this specific food that I love. It's eaten RAW but often prepared in a not too hygienic manner. Since I banned myself from eating it, I've slowly become able to stay a few hours without food and can handle more stress.
The ground cassava is left to ferment for some days which removes MOST of the cyanide. There's little to no health control for food in these parts. I've read that over 50% of food stuff exported from West Africa to Europe and US get culled at the border.
If not, you’ve made a series of lifestyle changes of questionable value based on terrible (or no) evidence. Avoiding hunger, sit-ups, and raw food has no long-term benefit to your general health; becoming overweight and (maybe) exercising less than before may actually be somewhat deleterious. (Unhygienic food, raw or not, of course may be to avoid... but that’s not related to ulcer formation.)
Ulcers are totally curable via a short course of proton-pump inhibitors +/- antibiotics to eradicate H.Pylori. These are cheap (generic) drugs with a low risk of side effects. Go see a doctor and get yourself fixed up. Chronic gastric inflammation definitely isn’t good.
I apologise if you found my post difficult; that wasn’t my intention.
However, I do struggle to accept/believe that a relevantly qualified doctor, anywhere in the world, wouldn’t know what a PPI is. They aren’t new, they aren’t expensive, and they’re available worldwide. Honestly, every medical student would probably know about them.
Anyway, look for the medications named omeprazole, or lansoprazole, or pantoprazole. They’re PPIs. In many countries they’re even available over the counter. And (was together with a course of the correct antibiotics, where necessary) they cure ulcers.
Just to follow up on this, and in mind of the general risk of taking medical advice from a random dude on the internet...
As said before, please try to see a good qualified doctor about this (ideally a gastroenterologist, assuming this is possible - apologies if this is again an insensitive assumption). The reasons being:
a) If you do have an ulcer, then there are other things (beyond prescribing PPIs) a doctor might help with - such as a test for H.Pylori +/- antibiotics to then eradicate it, if you have it
b) There are other conditions that can present with similar symptoms to ulcers (they can sometimes be very hard to tell apart) which may require investigation to make a correct diagnosis, and which would then need to be treated differently.
c) There are other risks attached to chronic oesophageal/gastric inflammation; if you've had such inflammation for a prolonged period of time, it might be worth being checked out further.
My company was acquired 18 months ago. We were the smaller company, about 1/4 the size, and as the founder/CTO, I expected the acquiring company to be all over us. I mean, we had a pretty tight operation but there was only so much 16 people could achieve. There were plenty of things we could improve, and I was looking forward to the resources and experience of this bigger company to help us.
Was I in for a shock!
While their software dev practices were OK (certainly no better than ours), what hit me hardest was their secops. It was a nightmare. And these guys service some brand name clients.
As an example, not only was the corporate wifi password memorable - not actually “P455w0rd” but similarly bad - but it was written on a whiteboard in view of the whole office! Service passwords are still stored in clear text in the corporate wiki, and few people understand why this is terrible. It’s like a 90s IT shop, where people used to ask me “why would anyone care about our password?”
Kicking the can down the road is fine for a while, but without strong technical leadership, kicking the can becomes how things get done, and that’s been my experience here.
While I’ve not personally used it, I’m happy with 1Password Teams, bitwarden has a pretty well received project. If you want self hosted teams, though, you will need to purchase a license (it’s one of their money makers, and I think that is completely fair). Most of their product is otherwise open, afaik.
Bitwarden’s auth protocol allows the server to tell the client that the iteration count is 5000, regardless of the actual iteration count, and the client will send 5000-iteration passphrase-derived material to the bitwarden server (run by the developer in the usual case).
PBKDF-SHA256 is far too fast, even with the HMAC step.
You may be correct, but in current mindset u would get "What do you mean store all our password with someone else? No." answer. No amount of explaining can fix it.
> Because: in this scenario you need to drive adoption first ...
Be careful: that sort of behaviour can get you fired and potentially land your company in hot water from a legal and/or compliance standpoint, as well as lose them customers.
Compliance is often as much, or more, about having and following documented processes, as it is about having good processes. This can include an approved list of software and services. If you step outside this you are likely breaching your compliance regime.
In the specific case of passwords you may have policies and procedures around secret management that would be violated by storing this information in the cloud, even with a service specifically designed for this. As stupid as it is, the quality (or lack thereof) of your current solution is not the key point here.
If you decide to get all subversive and start using a cloud service then, at the very least, if discovered you're going to get into trouble. At worst, if customers become aware they might leave, and as I've already said, the company might find themselves in legal difficulties.
Crossplatform, git versioning, gpg security (allows you to integrate with smartcards and tokens that you might already have in place for your employees).
Decent UX too, works with clipboard, supports totp.
Uh, as much as I enjoy reading this, posting this on Reddit seems particularly unwise for job security purposes. This seems to be an ongoing incident and there's more than enough info shared to de-anonymize.
I’ve come to the assumption that either this happened already months ago, or the much more likely scenario that it’s probably largely fake (if based on a true story)
That was a cool nightmare scenario story, but holy mother of mercy was it ever tedious to read!
I can tolerate some bad grammar, but somehow the combination of incorrect articles, words auto-spellchecked to something completely different, run-on sentences, and lack of punctuation, made it a real chore to read through without getting lost...
I don't use Dropbox so I am wondering, is this fundamentally different from storing everything in S3? Is it like a single S3 bucket? Or multiple buckets on the same account?
Dropbox is essentially just a cloud synced folder. Anyone who had the shared login credentials had access to the entire production server and fragments of it could be left on any computers that were synced to it. Anyone could also delete or modify anything and it would propagate the changes to everyone else's copies with very little logging or version control. You can restore a previous version of the file, but it isn't like git or anything... just more like recently saved versions.
The post said they had an enterprise account, which I assume could limit access via separate logins, but many of the users were sharing the same single set of credentials (e.g. everyone logging in with the same account), so there was no real access control or knowledge of who all had access using that account.
Dropbox would really let you get to half a Petabyte ? I know it says as much space as your team needs, but wow. Do Dropbox start to charge per data stored when you take out an enterprise account ?
Omg. It is not like he watched his buddy lose a finger trying to hang a bridge.
It fucking just data. It is just made up numbers.
There is a reason why higher up mangers and bosses don't go e shit about code or understanding technology. Coz in the end it doesn't matter. There is always a role playing nerd that would love to slay the dragon.
So much nerds that get promoted because they belive in Dragons and such.
Ahh well if we gonna focus on the numbers only. You are right. But then people should shut up about all this environmental and economical crisis. My numbers are fine screw you if your numbers are bad. Why should that be my problem?
What are the advantages / disadvantages of going panic mode like this?
Would just increasing the size of the dropbox to keep things muddling along and then trying to figure out a migration strategy come Monday morning be impossible for legal reasons?
Sounds like the big issues are at the compliance level. They’re in a time of the year where lots of companies have much more limited availability of engineering, management, and legal staff. Sure they could easily eat the cost of temporarily upgrading the Dropbox account. But as OP describes, there are huge implications in terms of security.
They didn’t find out until today that a number of senior staff were laid off during the acquisition. Lots of room there for bad feelings. That opens them up to all kinds of vulnerabilities from disgruntled ex employees.
Imagine the repercussions come post-holidays if something bad happens during the next few weeks before everyone is back on board and there’s a security breach over the meanwhile.
I worked in a software company once where we acquired a product to integrate into ours.
It was developed by a self taught programmer in his 50ies that did versioning by making copies of the whole directory when he had something that worked, the way I also worked before university.
Since he was the only developer and he was pretty good this mostly worked. His first name was/is Leif so from then on me and my friends speak of this style of "version control" as "using Leif Points". I guess because it is phonetically somewhat close to Save Points like in some computer games.
- Are we using git or Leif Points for this project?
- eh, how about git?
This story sounds like they also used Leif Points, but for their database :O
I won't name the offender, but a well-known company I worked for did something funnier: zipping entire directory and checking the zip files in Visual Source Safe.
LOL, I used it in 1996-97 and it worked OK for a modest setup with only six users and blocking at file level. Later heard some horror stories from people working at big shops, but no worse than svn stories, anyway I haven't seen any of those.
About your time of using VSS, I was working at Microsoft in developer support (working on COM data access, and not VSS, thank $DEITY). It was fine for small internal stuff we’d do, the stories I heard from industrial-strength use did not instill confidence for anything more than a half-dozen devs. OTOH, we shipped small components for a larger product using VSS, and I don’t recal any issues. Hated the workflow and interface, but it worked
TBF making tarballs and storing that was how many projects used to work. Linus did that until they got Bitkeeper & git, he refused to use any existing VCS before that.
I use TFS for source control, but still also use Leif Points (like scheduled backup of the project every day to a local storage) in case of something messed up by the server. So don't underestimate the old guy :)
While it all feels insane from one perspective, it’s not hard to imagine a different narrative where the “founders of ‘insane asylum’ hacked the startup system, were product first, got acquired, and used their new home to pay down tech debt.”
I am not a fan of Dropbox. Stories like this are why I don’t use it.
A couple of years ago I inherited managing Dropbox for a company I was at. I’d never really used Dropbox in a more daily use company.
I discovered Dropbox wasn’t very IT admin friendly. If you share out a personal folder as your team folder, IT can’t find your folder to share it to new members of your team. The person who owns the folder has to share it out. So when new employees ask why IT can’t access and share the folder, we had to explain that’s how Dropbox works.
The other crappy thing I discovered about Dropbox from that time. I have no way to audit or tell who has what folder. If someone was sharing something illegal from their folder, I had to turn on the auditing capability and download logs as they were generated. It was confusing because if someone were sharing something and I was the admin of that account, I should have access to all files and accounts. Nope. So we dumped Dropbox before I left to avoid scrutiny down the road for any acquisitions of the company.
Dropbox is still a consumer product trying to be a workplace tool IMO. Maybe others have a different opinion.
> If you share out a personal folder as your team folder, IT can’t find your folder to share it to new members of your team. The person who owns the folder has to share it out.
> It was confusing because if someone were sharing something and I was the admin of that account, I should have access to all files and accounts. Nope.
In both cases, you should be able to assume the shared folder owner (via the admin console) and modify their permissions. Did this not work for you?
(note: I'm an ex-Dropbox eng that worked on a lot of the sharing/team management systems)
> The other crappy thing I discovered about Dropbox from that time. I have no way to audit or tell who has what folder.
Have felt similar pain with G Suite Drive. Perhaps I simply didn’t find or didn’t have the proper permissions (I wasn’t the top level admin on the org) but at some point I wrote a Python script to output a list of users who had access to each file in our organization. I saw no way of generating this automatically.
This story has many angles, the developer who built the software, the founder who took all the money, then sold the software and fired the developer. Then Dropbox who we all laughed at, is now used for distributed databases.
128 comments
[ 4.3 ms ] story [ 192 ms ] threadCan tech just stop the dropbox bit n just set up sparkleshare for everyone if git is holding up? If git is less than efficient..then syncthing, seafile would all work for their file sharing needs n r trivial to setup?
Btw, it sounded like the "version control" mentioned wasn't git.
Maybe they're doing full copies of the application + data into a timestamped directory or similar.
That kind of thing chews disk space. :/
Every couple weeks an employee would mistake the synced folder for their local disk and rearrange files or delete files and then the files would disappear for the rest of the company.
Then we’d have to go into the backups and restore the files and send a message out to everyone to hold the files they were working on before saving them to the drive again.
Yes, that's a total fuck up on their side as well. That an incompetent company dies while doing stupid stunts like that is understandable and how the market filters out stupidity.
That another company looks at it and thinks "Oh that looks fine", that's a total failure at their work.
Then after NDA's and a few other docs if a company accepts being purchased they have to give access to their internal docs. Finance books, IT, etc.
If during this "due diligence" period the buyers find a major red flag they might pull out, revise the price down, etc.
Personally I've never seen one of these discovery phases bring back anything remotely close to real life. No random IT manager alive is going to throw his dirty laundry out to a potential buyer and potentially torpedo a deal.
Some of the things I've seen/found during my company buying spree since 2015 have been magical.
They know just enough to be dangerous and frustratingly useless getting useful information from. So your integration team has to do all the planning with only the foggiest idea of what they are getting into. They then spend the entire first day on the ground just getting the lay of the land. No time to schedule local cable contractors for the really needed cable runs. Let's hope that the existing CAT5 runs work fine on gigabit for the next few weeks till we can get those contractors in to replace all the wiring. Worse case, we'll have to limit the port speeds to 100Mbps at the new switch if retransmits become an issue.
Even more fun when the next project is even less detail but the entity you are acquiring is on another continent instead of a few states over.
https://www.nytimes.com/2012/12/01/business/hps-autonomy-blu...
I just remember two of our engineers had a gig, spent 6 months at $150/hr wading through VHDL and C++ code of some company that was being acquired. They also had to work closely with a patent attorney who was billing probably $500/hr.
Seems like an acquisition is a lot less hassle and risk. And can be done quickly. Most 'problems' can be made to go away by throwing money and fixers at them.
e.g. when asked why they need so much space on their laptops, they were evasive.
To my mind this makes it much worse. Not only were they doing something dumb, but they knew it was dumb, and they hid it instead of fixing it.
It certainly invites speculation about the company culture in the acquired business.
It's a failure all round but i would say acquiring companies IT team are least to blame here.
Also, I avoided situps, cos the muscle pains felt like ulcer attacks.
There's this specific food that I love. It's eaten RAW but often prepared in a not too hygienic manner. Since I banned myself from eating it, I've slowly become able to stay a few hours without food and can handle more stress.
https://en.wikipedia.org/wiki/Garri#Health_implications
> Garri is made from cassava which contains hydrocyanic acid .../... can lead to .../... worsening of ulcers.
The ground cassava is left to ferment for some days which removes MOST of the cyanide. There's little to no health control for food in these parts. I've read that over 50% of food stuff exported from West Africa to Europe and US get culled at the border.
See: http://europepmc.org/article/PMC/3074370
See the abstract at: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6526674/
When it's prepared with hot water, it forms a solid called Eba. And it's consumed with soup. The heating makes it safe from my own observation.
If not, you’ve made a series of lifestyle changes of questionable value based on terrible (or no) evidence. Avoiding hunger, sit-ups, and raw food has no long-term benefit to your general health; becoming overweight and (maybe) exercising less than before may actually be somewhat deleterious. (Unhygienic food, raw or not, of course may be to avoid... but that’s not related to ulcer formation.)
Ulcers are totally curable via a short course of proton-pump inhibitors +/- antibiotics to eradicate H.Pylori. These are cheap (generic) drugs with a low risk of side effects. Go see a doctor and get yourself fixed up. Chronic gastric inflammation definitely isn’t good.
And when my doctors have no idea what these are? And gave me the, "Avoid these food groups, exercise..."
Get off your high horse. Not everyone in the world has the same level of health care you do.
However, I do struggle to accept/believe that a relevantly qualified doctor, anywhere in the world, wouldn’t know what a PPI is. They aren’t new, they aren’t expensive, and they’re available worldwide. Honestly, every medical student would probably know about them.
Anyway, look for the medications named omeprazole, or lansoprazole, or pantoprazole. They’re PPIs. In many countries they’re even available over the counter. And (was together with a course of the correct antibiotics, where necessary) they cure ulcers.
Currently using Ab Roller for my stomach https://www.youtube.com/watch?v=dzE3Q03KXuY
As said before, please try to see a good qualified doctor about this (ideally a gastroenterologist, assuming this is possible - apologies if this is again an insensitive assumption). The reasons being:
a) If you do have an ulcer, then there are other things (beyond prescribing PPIs) a doctor might help with - such as a test for H.Pylori +/- antibiotics to then eradicate it, if you have it
b) There are other conditions that can present with similar symptoms to ulcers (they can sometimes be very hard to tell apart) which may require investigation to make a correct diagnosis, and which would then need to be treated differently.
c) There are other risks attached to chronic oesophageal/gastric inflammation; if you've had such inflammation for a prolonged period of time, it might be worth being checked out further.
https://www.mayoclinic.org/diseases-conditions/peptic-ulcer/...
Just saw this. I'll do that when I can afford it. For now, it's over the counter for me.
My company was acquired 18 months ago. We were the smaller company, about 1/4 the size, and as the founder/CTO, I expected the acquiring company to be all over us. I mean, we had a pretty tight operation but there was only so much 16 people could achieve. There were plenty of things we could improve, and I was looking forward to the resources and experience of this bigger company to help us.
Was I in for a shock!
While their software dev practices were OK (certainly no better than ours), what hit me hardest was their secops. It was a nightmare. And these guys service some brand name clients.
As an example, not only was the corporate wifi password memorable - not actually “P455w0rd” but similarly bad - but it was written on a whiteboard in view of the whole office! Service passwords are still stored in clear text in the corporate wiki, and few people understand why this is terrible. It’s like a 90s IT shop, where people used to ask me “why would anyone care about our password?”
Kicking the can down the road is fine for a while, but without strong technical leadership, kicking the can becomes how things get done, and that’s been my experience here.
I’m not long for this place.
I know this painfully well :(. Can you recommend some good solution? Ideally open source and self hosted, instead of cloud password manager.
The developer refuses to acknowledge it as a security risk, and actually caps the max iterations you can configure, both on the client and the server.
https://github.com/bitwarden/jslib/issues/52
https://github.com/bitwarden/server/issues/589
“It was audited” is meaningless if the audit missed this, or reported this and the dev dismissed it. Either way, it is unsafe.
https://crypto.stackexchange.com/a/61306
Django, uses PBKDF2-SHA256 with 216000 iterations, for example https://github.com/django/django/blob/master/django/contrib/...
Given Bitwarden allows almost 10x that, not sure I see the issue.
PBKDF-SHA256 is far too fast, even with the HMAC step.
I'd rather they use Argon2id to be as safe as can be.
However, I've not yet seen a fully cross-platform javascript-only implementation of Argon2 at all, which is problematic for an extension.. :-/
UPDATE: There actually exist an Argon2 implementation that's used by another vault, https://www.npmjs.com/package/argon2-browser
The point of PBKDF-SHA256 is to protect the secrecy of passwords if the server is compromised and its password hash db is dumped.
This is not some random webapp. It is a password manager.
Think about it.
Because: in this scenario you need to drive adoption first,if it is any complicated the humans will not use it. so you need the easiest tool possible.
when everybody is using it, THEN go for the real security move.
(you can try to find a non-cloud one that is super easy, but...)
Be careful: that sort of behaviour can get you fired and potentially land your company in hot water from a legal and/or compliance standpoint, as well as lose them customers.
Compliance is often as much, or more, about having and following documented processes, as it is about having good processes. This can include an approved list of software and services. If you step outside this you are likely breaching your compliance regime.
In the specific case of passwords you may have policies and procedures around secret management that would be violated by storing this information in the cloud, even with a service specifically designed for this. As stupid as it is, the quality (or lack thereof) of your current solution is not the key point here.
If you decide to get all subversive and start using a cloud service then, at the very least, if discovered you're going to get into trouble. At worst, if customers become aware they might leave, and as I've already said, the company might find themselves in legal difficulties.
Crossplatform, git versioning, gpg security (allows you to integrate with smartcards and tokens that you might already have in place for your employees).
Decent UX too, works with clipboard, supports totp.
I can tolerate some bad grammar, but somehow the combination of incorrect articles, words auto-spellchecked to something completely different, run-on sentences, and lack of punctuation, made it a real chore to read through without getting lost...
The patterns sound like native English speech.
I suspect dyslexia.
I hope the OP writes a book with zero changes to his writing style.
OP, please write that book / collection of stories. Loved reading this, it makes me appreciate the culture and quality of work we have in our company.
Can't run an application? Can't afford a license? Use the network share. No network share? Use dropbox.
That didn't work out.
And we all know what happened then.
When the board and ceo want's to aquired a business, IT is just something they believe can follow along easily.
Most developers are straight up lazy and uprofessional to do a job, and mixing in security is just scary as hell.
It fucking just data. It is just made up numbers.
There is a reason why higher up mangers and bosses don't go e shit about code or understanding technology. Coz in the end it doesn't matter. There is always a role playing nerd that would love to slay the dragon.
So much nerds that get promoted because they belive in Dragons and such.
Would just increasing the size of the dropbox to keep things muddling along and then trying to figure out a migration strategy come Monday morning be impossible for legal reasons?
They didn’t find out until today that a number of senior staff were laid off during the acquisition. Lots of room there for bad feelings. That opens them up to all kinds of vulnerabilities from disgruntled ex employees.
Imagine the repercussions come post-holidays if something bad happens during the next few weeks before everyone is back on board and there’s a security breach over the meanwhile.
- Are we using git or Leif Points for this project?
- eh, how about git?
This story sounds like they also used Leif Points, but for their database :O
Also - they are NOT paying down the tech debt. The programmers and sysadmin staff doing overtime mentioned are.
A couple of years ago I inherited managing Dropbox for a company I was at. I’d never really used Dropbox in a more daily use company.
I discovered Dropbox wasn’t very IT admin friendly. If you share out a personal folder as your team folder, IT can’t find your folder to share it to new members of your team. The person who owns the folder has to share it out. So when new employees ask why IT can’t access and share the folder, we had to explain that’s how Dropbox works.
The other crappy thing I discovered about Dropbox from that time. I have no way to audit or tell who has what folder. If someone was sharing something illegal from their folder, I had to turn on the auditing capability and download logs as they were generated. It was confusing because if someone were sharing something and I was the admin of that account, I should have access to all files and accounts. Nope. So we dumped Dropbox before I left to avoid scrutiny down the road for any acquisitions of the company.
Dropbox is still a consumer product trying to be a workplace tool IMO. Maybe others have a different opinion.
This is a good story to tell on Monday.
> It was confusing because if someone were sharing something and I was the admin of that account, I should have access to all files and accounts. Nope.
In both cases, you should be able to assume the shared folder owner (via the admin console) and modify their permissions. Did this not work for you?
(note: I'm an ex-Dropbox eng that worked on a lot of the sharing/team management systems)
Have felt similar pain with G Suite Drive. Perhaps I simply didn’t find or didn’t have the proper permissions (I wasn’t the top level admin on the org) but at some point I wrote a Python script to output a list of users who had access to each file in our organization. I saw no way of generating this automatically.