loudwhisper

@loudwhisper@infosec.pub

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨Tea app leak worsens with second database exposing user chats⁩ ⁨⁨7⁩ ⁨hours⁩ ago⁩:
If in were in the security team of that company, I would never accept ACLs on the bucket as a sufficient compensating control for this risk. Here the best most reasonable would be encryption, which would make the bucket being public relatively unimportant.

When you are collecting so sensitive data (potentially including personal data of people not using your service), you simply can’t even imagine doing that by storing the data unencrypted.
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨1⁩ ⁨day⁩ ago⁩:
Really annoying interaction. I am out. Cya.
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨1⁩ ⁨day⁩ ago⁩:
That’s not the argument, and you know it, which you need to understand, now it makes it even harder not to think maliciously about the good faith you bring to the conversation.

In case you actually care about it: I feel your statement not only unfairly characterizes white men (not all of them, taking blame for other demographics too etc., etc.,) which who cares, but also is completely exclusionary of all those women who were are not historically oppressed by white men, for example those in different parts of the world, those themselves part of racial minorities etc., and that’s what I think is racist. Of course, in that US-centric perspective the world is the same as for Hollywood disaster movies…

You disagree for sure, but since you were interested in comedy…
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨1⁩ ⁨day⁩ ago⁩:
Fair enough.

However, OP stood by his statement:

Including both in the same sentence is because of the common shared group of oppressors, white men.

So I guess your interpretation was too generous, mine slightly too strict.
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨1⁩ ⁨day⁩ ago⁩:
You meant to write what you wrote, I assumed…?

But I see we are going in circles. So far you are leaning on “that’s the common oppressor” which sounds silly to me if I am being honest. But anyway, whatever. I stand by the fact that your original statement is either extremely US-centric (and frankly a bit racist from multiple points of view) or just generally incorrect. Don’t need to convince you or change your mind. So have a good day/evening/whatever.
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨1⁩ ⁨day⁩ ago⁩:

Are you implying that minorities aren’t oppressed and don’t need safe spaces?

What? My only qualm is that you added white to a sentence about gender oppression. Of course minorities are oppressed and need safe spaces.

which I assert is true in the vast majority of the world where English (the language we are speaking) is the primary language for the country

What has the language we are speaking (which is not even my language) to do with what is “historically” true or not? Is this just a classic example of US exceptionalism or what?

Including both in the same sentence is because of the common shared group of oppressors, white men.

Minorities are also oppressed by way more demographics than white men.

If you want any statement to be true for literally the entire world, then your expectations are unreasonable.

Saying that men oppressed women is a much, much, much more accurate statement, for example. There are always exceptions, but we are talking about different things.
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨1⁩ ⁨day⁩ ago⁩:
Absolutely not true. The critique is based on adding a racial connotation to gender oppression, which is completely orthogonal to it.

To be even more frank, saying that women and minorities need safe spaces because white men historically oppressed them is complete bonkers. Women need safe spaces because men historically oppressed them, and that is true all around the world, in almost all communities.

I literally took your words literally, as I quoted and addressed the very sentence you wrote. You decided to add white to a sentence that didn’t need it. It’s already the second comment where you refuse to elaborate and instead you indulge in meta-conversation. So for the sake of clarity, discard everything I have said so far, and allow me to simply ask what did you mean with that sentence?
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨1⁩ ⁨day⁩ ago⁩:
The rest of the critique remains nevertheless.
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨1⁩ ⁨day⁩ ago⁩:
No it doesn’t exclude that, but it also unnecessarily mixes racial with gender discrimination, and in a general statement like that is odd to do that. The intention I perceived was to link the creation of spaces that women (or minorities) require to white men discrimination only, which is absurd in my opinion.

To make a similar example, saying “gay people need their spaces, because they are historically discriminated by black women” doesn’t “exclude” that also men discriminate them, or that also white women do, but I hope you can see what an odd statement that is, and if someone would find it misogynistic or racist, I think they would be right.

Thinking maliciously, I would say that’s the classic way for a white guy (the commenter stated that about himself) to make a statement that is less controversial because it only “accuses” their own demographic and the most acceptable demographic to critique.
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨1⁩ ⁨day⁩ ago⁩:
Can you please then elaborate on what the following means, according to your interpretation?

Women and minority only spaces exist because white men as a group have historically discriminated against them
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨2⁩ ⁨days⁩ ago⁩:
It’s more like that stage only allows women participants. But the stage example doesn’t work well because a forum is not a stage.

Either way, I take issue with the idea that a male participation makes a space inherently unsafe. You didn’t say it explicitly, but you kinda implied it.

I think this is not only false, but it’s divisive and it’s a terrible narrative to build that harms cohesion in the face of class struggle.
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨2⁩ ⁨days⁩ ago⁩:

~white~ men as a group

Unless you are suggesting women have not being discriminated in non-white communities?
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨2⁩ ⁨days⁩ ago⁩:
Do you/did you feel that random members of a demographic “speak for you”? Why would that be the case for people you have nothing in common with except some amount of genetic material?
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨2⁩ ⁨days⁩ ago⁩:
To be fair the vast, vast majority of the rules are simply common sense stuff. If you are not an asshole, you can avoid reading community rules and in 99% of case you won’t violate any.
⁨Comment⁩ on ⁨The challenge of deleting old online accounts | Loudwhisper⁩ ⁨⁨2⁩ ⁨days⁩ ago⁩:
Thanks. Absolutely my experience too. The ones where you can’t edit the email I noticed often used the email as username, and probably god knows how bad is the code on the backend.
⁨Comment⁩ on ⁨The challenge of deleting old online accounts | Loudwhisper⁩ ⁨⁨3⁩ ⁨days⁩ ago⁩:
Hey, I haven’t, but to be honest, the answers I got from most companies showed me that the processes were handled by people who barely understood the legal and technical aspects around data collection (e.g., often support agents were on the other side of privacy@), which means I wouldn’t trust them with their answer anyway AND I doubt many of these companies will have effective way to even check that.

From the data being sold point of view, I think unfortunately it’s way more effective reaching out to the few big data brokers to request cancelations or pay one of the companies who offer such service…
⁨Comment⁩ on ⁨The challenge of deleting old online accounts | Loudwhisper⁩ ⁨⁨4⁩ ⁨days⁩ ago⁩:
Thanks for the kind words!

I won’t take credits for the template, I have used the one found here: datarequests.org/…/sample-letter-gdpr-erasure-req…
⁨Comment⁩ on ⁨The challenge of deleting old online accounts | Loudwhisper⁩ ⁨⁨4⁩ ⁨days⁩ ago⁩:
Eh, the thing is I made the formal request using data deletion module, but I just assumed that’s what the support person asked the development person (“team”), assuming it was not the same person for both!
⁨Comment⁩ on ⁨The challenge of deleting old online accounts | Loudwhisper⁩ ⁨⁨4⁩ ⁨days⁩ ago⁩:
Congratulations on completing this!

I have indeed moved most accounts to individual aliases. I used to use the same username and similar emails (perhaps grouped like shops@mydomain), but I got no benefit and the username allowed unnecessary correlations.

So alias + random username and I will have much much less trouble in the future. Hopefully!
The challenge of deleting old online accounts | Loudwhisperloudwhisper.me ↗
Submitted ⁨⁨4⁩ ⁨days⁩ ago⁩ to ⁨technology@lemmy.world⁩ | ⁨10⁩ ⁨comments⁩
⁨Comment⁩ on ⁨Rule34 blocked the UK entirely rather than comply due to the new law.⁩ ⁨⁨5⁩ ⁨days⁩ ago⁩:
Social/Political problems need social/political solutions, not technical solutions.
⁨Comment⁩ on ⁨Using Clouds for too long might have made you incompetent⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:

When they need, they’ll learn.

100% agree. But. If you are a principal engineer claiming to have experience hardening the thing, you would expect that learning to have already happened. Also, I would be absolutely fine with “I never had a chance to dig into this specifically, I just know it at a high level” answer. Why coming up with bs?

Maybe those engineers were like that too.

I mean, we are talking about people whose whole career was around Kubernetes, so I don’t think so?
⁨Comment⁩ on ⁨Using Clouds for too long might have made you incompetent⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
I partially agree, but not only we are looking for experts of that thing, we are also looking for security experts, and security knowledge is very much meta-knowledge. A software developer might not care at all about - say - how the CI/CD works, because all they care is that the thing builds the code. A security expert generally has a broader scope, and their job is not functional, which means their job is exactly understanding the thing to be able to model the risks around it. So they might not care of all the tools used in that CI/CD or the exact details of the steps, but they should understand the execution flow, the way third party dependencies are pulled, verified, consumed, the authorization model etc.

There is no such thing of security professional who doesn’t understand - at least from an academic point of view - the overall setup of a thing they worked with.

If I take the image attestation example I made in the post, I consider the “inner workings” to be the cryptographic details, such as ciphers and their working mechanisms, or the exact details of the way that attestation can be verified offline, or what exactly is computed and how. I am OK with someone not knowing this. But not understanding the whole flow? Well, without this what’s left? Copying the 3 lines of code that do something from the Github documentation? Any software engineer can very much do that, what is your contribution as a security specialist?

……people lie on CVs and cover letters. If your ad has buzzwords and technology X, Y, and Z

Totally agree. It is very likely, although the more people I interview, the more I think that they are not lying from their perspective. It’s that people can legitimately make a career today by stitching together stuff with scotch tape, spending years by just by doing that and effectively have little to show for those years. But from their perspective, they might be experienced in that stuff, maybe?
⁨Comment⁩ on ⁨Using Clouds for too long might have made you incompetent⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
I wouldn’t say it’s a large expansion of skillset, meaning it’s not massive. But yes, indeed it is problematic to find people. It is because this is a vicious circle in which companies are digging their own graves by eliminating a market for those people, which in turn means that those who would want to hire some can’t find them easily, leading to outsourcing instead. Do this for 15 years across the whole industry and it stops being an option, which is pretty much where we are today. That said, training and upskilling is always a possibility for companies who invest on their own employees and are playing the long game…
⁨Comment⁩ on ⁨Using Clouds for too long might have made you incompetent⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
Well, for the relatively small sample of Kubernetes experts I interviewed, basically any topic beyond “you use this tool” was a disaster, including Kubernetes knowledge. I am not selective, it’s not like I expect a specific skillset, but what would you think if someone with a decade of platform security doesn’t understand cryptography and supply chain, Linux permissions, Kubernetes foundational concepts, container isolation or networking? At some point the question is legitimate, what are you expert in? The answer I have been able to give myself so far is “stitching together services that do stuff” and “recommend what the documentation/standard recommends”. I consider myself satisfied to have somewhat decent knowledge in some of those areas, I am not expecting someone understanding all of that, but none of them? Maybe from someone who just joined the industry.
⁨Comment⁩ on ⁨Using Clouds for too long might have made you incompetent⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:

You say “incompetent” and “less skilled” as general statements on senior engineers. Those statements are false.

I am saying that the competencies of people who grew up (professionally) with outsourced services are more superficial and give them way less understanding (and agency) on the systems they oversee. I make the opinionated argument that knowing which service to use in a cloud provider is not just a different skill from implementing that functionality “manually”, but is hierarchical inferior, easier to acquire and less useful in general.

A weird parallel would be someone who hikes 100% of the time with a guide who takes care of orientation, camp setting etc., and someone who goes alone. If I am simply comparing the pictures they are showing me, I might not appreciate the difference, but if you asked me who I would trust to come hiking with me, I wouldn’t have doubt, because I consider the skill “finding, choosing and listening to the guide” to be hierarchial inferior to “orient, set camp etc. by yourself”.

So it’s not just a matter of matching the skills I need, is actually a much broader argument about deskilling engineers.
⁨Comment⁩ on ⁨Using Clouds for too long might have made you incompetent⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
It depends. An EKS cluster can cost easily 20x what an equivalent cluster costs with same resources. The amount of people necessary to manage it is very close compared to a bare cluster, which depending on the scale can save hundreds of thousands or millions per year, therefore allowing extra headcount.

For example, a company I worked for had a team of 6 managing all their kubernetes cluster on rented dediservers. The infra costed around 50k/year. The same clusters on EKS could be managed by 4 people (maybe?), but would have costed easily 5-600k, especially since they were beefy machines, possibly even more. That amount of money would pay for 7-8 additional headcount in local hires.

Considering that in those clusters there were 40-50 postgres clusters, if moving those to RDS they would have probably looked at millions in cloud bills per year, and the effort to run those dB’s once the manifests were developed was negligible (same team was managing them). This was a tiny startup, with limited resources for internal tools and automation development.

So it’s not like managing everything can save headcount, it’s that not outsourcing everything can save so much money that largely compensates for more headcount, plus you are giving money to real people, who spend local and pay taxes.
⁨Comment⁩ on ⁨Using Clouds for too long might have made you incompetent⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
But you know what the kernel is. You know that syscalls are a thing, you know what role the kernel performs, you know that different filesystems have different properties (and pros and cons), etc…

You don’t need to know the details, perhaps, but you can’t ignore the fundamental theoretical concepts of kernel and OS. You might not know the whole detail of the boot procedure, but if your machines are stuck on boot, you know at least what to look for.

Here I was talking about equally foundational topics. There is nothing “above” - say - producing attestations and then verifying them. That’s literally all there is to it, but if you don’t understand the theory behind it, what exactly are you doing? As as I said, I don’t care about the details, I didn’t expect someone mentioning ciphers or timestamp authorities, transparency logs etc. All I would expect is “we produce a signature with a bunch of metadata and we verify it where we consume the artifact, so that we are sure that the artifact has the properties attested by the signature”.

Not knowing this is like someone claiming that they administer Linux machines but can’t explain what network interfaces are or how routing is determined. This is not a question of being expert on different layers, this is just being oblivious to those other layers completely.
⁨Comment⁩ on ⁨Using Clouds for too long might have made you incompetent⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:

A cloud VM, just shut it down and you’re done.

If this flexibility is needed, and it’s an “if”, a dedicated server does the same. But even a cloudVM is already lower level compared to other services (which are even more abstract) - like EKS, SQS, etc.

The value an organization provides to customers should be the primary focus of the business, the rest is a means to sharpen that focus.

In my experience this often translates in values that flows to AWS, while the company giving value to customers is stuck with millions of cloud bills each month, and a large engineering footprint that eventually needs to cut, leaving fewer and fewer people working on the product.

That said, I acknowledge that cloud has business reasons to exist, I wrote an entire other post about my hate for it, but I still acknowledge that. However there are some myths that finally are getting dispelled (outsource infra and focus on your product).
⁨Comment⁩ on ⁨Using Clouds for too long might have made you incompetent⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
I mean, the person in question had “hardening EKS” on their CV. EKS still means that the whole data plane is your responsibility. How can you harden a cluster without understanding the foundation of container security (isolation primitives, capabilities, etc.)? Workload security is very much part of the job.

I mean the moment some pod will need to run with some privilege (say, a log forwarder which gets host logs), and you need to “harden” the cluster, what do you do if you don’t understand the concept of capabilities? I will tell you what, because I asked this very question, and the answer was “copy the logs elsewhere”, which is the “make it work with the hammer solution” that again shows the damage of not understanding.

I am with you about different scopes, skillsets etc. But here we were interviewing people with a completely matching skillset on paper.