Mastodawn

SwiftOnSecurity Dec 5, 2022

Microsoft seeing people use their products with the default settings they ship to customers

@SwiftOnSecurity a year+ ago I did azure security training, provided by Microsoft, in singapore, to folks they knew were security professionals ...
And every session of the multi-week epic involved setting up resources groups, servers, storage and users with credentials or settings that were just plain insecure. "we'll just do X- you wouldn't do this in production but for training purposes we'll do this quick work around" every time, every exercise.
"here's an rdp link" " copy this password" "open this to internet so we can X"
Teach / train /ship by default.. the way you want people to use it-- this must be, securely. Anything else is an abomination, a taint on the future... /rantoff

verb (printfJess) 🦄Dec 30, 2022

@kostchei @SwiftOnSecurity You'll get the same thing with IBM, Google, etc because big tech firms only run conferences for marketing purposes. They're organised by marketing and they want business decision makers to adopt their products. That's the only reason why they exist.

verb (printfJess) 🦄Dec 30, 2022

@kostchei @SwiftOnSecurity That said, I went to an awesome IBM Think event - pre covid era - where they had actual ML experts teaching us, on the tech track, how to use IBM Cloud practically. I learnt some stuff, and they were very real and open about limitations and hybrid technology. Brilliant.

All others, not as great.

Kostchei Dec 30, 2022

@verb @SwiftOnSecurity
This was private training provided only to the security team at the company I work for, directly by microsoft, as part of a deal to get us to use more of their cloud. (I think a dozen of us did the training)
And it still amounted to teaching bad habits mixed with advertising- the trainer was a good guy, knew his stuff. A security person's security person . But the course content... I couldn't believe it

verb (printfJess) 🦄Dec 30, 2022

@kostchei @SwiftOnSecurity When you think about it. The experts don't spend their time giving talks. They do experty stuff, often in higher paying less client facing roles. Occasionally experts will take time "off" to give talks.

But if you can see the value in the tech, while also seeing gaps, talk about them.

Dave Dustin Dec 30, 2022

@kostchei @SwiftOnSecurity Preach it.

I once proposed a training course about how to secure SQL Server to the point stoneage mindset auditors couldn't find a fault.

Better part of a week required if we made them do labs properly.

Nope, was made to cut it down to half-day of training, and two half-day of labs (second one optional for juniors)

Cyber Yuki Dec 30, 2022

@venzann @kostchei @SwiftOnSecurity It's almost as if the problem was...

capitalism 🤔

Until corporations are held accountable with severe economic penalties for not doing their homework, we'll keep finding this over and over because instead of investing in security ("it's cheaper to pay the fines"), top execs prefer to maximize their profits.

Kostchei Dec 30, 2022

@yuki2501 @venzann @SwiftOnSecurity
Honestly, 1990's me would tell you " it is a way of ensuring those with credentials from Microsoft are in demand and that MS gets folks doing it's courses. It's complexity and failure by design"
Now I think it was just cruddy/flawed and not by design.

Alexander Dec 30, 2022

@venzann @kostchei @SwiftOnSecurity @yuki2501 or it's that resources are limited and short-term thinking prevails in every system. If anything this was worse under communism. The best solution might be to properly penalize for negative externalities like this and create a incentive structure that uses capitalism to get the desired outcome.

Tröglödÿt Dec 30, 2022

wow, such optimism

@venzann @kostchei @SwiftOnSecurity @yuki2501

Alexander Dec 30, 2022

@yuki2501 @troglodyt @venzann @SwiftOnSecurity @kostchei No, not optimistic at all, just even more pessimistic to throw out the baby with the bathwater and still accomplish nothing. Nothing will happen though at all due to regulatory capture. Witu communism nothing would even need to be captured though which is even worse

Tröglödÿt Dec 30, 2022

@ajmurmann
your fear of a post-capitalist, class-less society that is not built on capital accumulation is funny and also quite disturbing

the "baby" is right now causing incomprehensible suffering to a degree and on a scale that makes the disasters of the hebrew bible look like jokes, and most of the people alive are participating knowingly in this

@yuki2501 @venzann @SwiftOnSecurity @kostchei

Tröglödÿt Dec 30, 2022

@ajmurmann
and no, your religious hope that somehow capitalism will overcome itself spontaneously and suddenly stop eradicating our habitat isn't pessimism, it's optimism fueled by a fanatic, religious fervour

please join us apostates

@yuki2501 @venzann @SwiftOnSecurity @kostchei

Tröglödÿt Dec 30, 2022

@ajmurmann
if by communism you mean the attempts at replacing the dictatorship of the market with dictatorships of the proletariat in soviet and china and you also seriously think we aren't way, way worse today than they were, that's also a religious opinion

@yuki2501 @venzann @SwiftOnSecurity @kostchei

Alexander Jan 1, 2023

@venzann @troglodyt @yuki2501 @SwiftOnSecurity @kostchei life today by almost any metric you can think of is better than it was twenty years ago.

I'm fairly convinced that as long as there is scarcity we are gonna either have economic or social pressure. I do hope that once we reach post-scarcity we can alleviate those. But that's far out.

Alexander Jan 1, 2023

@troglodyt @kostchei Do you have any pointers to write-up as on how to do away with those pressures while being highly resource constraint?

On the original point here about software projects cutting corners, I think it's always gonna happen. Even if it's just excited folks waiting for your software. Time is limited and some stuff needs to get pushed off and abstract-seeming risks are gonna need the most likely to get pushed off.

Tröglödÿt Jan 1, 2023

@ajmurmann
not sure what you mean but people in it that skimp on quality and craft should be kicked out and barred from working in the field, just like lawyers and bean counters do, and if we don't the state will try to regulate us instead and that will inadvertently make good craft criminal

Tröglödÿt Jan 1, 2023

@ajmurmann
ok so the metric 'capitalist crisis is not good', how are we doing? the dot com bubble popped twenty years ago, and during these decades we've had the lehman crash, negative interest rates, us openly waging a global war on the rest of us, very deadly pandemics has returned after chilling for a century

not even computers are much better today than they were then, except electricity consumption and size

@venzann @yuki2501 @SwiftOnSecurity @kostchei

Tröglödÿt Jan 1, 2023

@ajmurmann
also scarcity isn't an issue. the problem since the fifties or so is to make people consume more even though they don't need to, e.g. we're wasting insane amounts of good food to keep it out of the hands of the poor

@venzann @yuki2501 @SwiftOnSecurity @kostchei

Elishevacarl Dec 30, 2022

@venzann @SwiftOnSecurity @ajmurmann @kostchei @yuki2501 or hear me out on this…. Have a pro-active regulatory regime with very active auditors who show up like the Spanish Inquisition and shut the whole thing down until they are satisfied. You know like real government. You can write what they audit for

sailingbikeruk Dec 30, 2022

@venzann bet they still claim to “take your security seriously” though 😔

elle mundy Dec 30, 2022

@venzann @kostchei @SwiftOnSecurity aws would do the same stuff at their loft in nyc a few years ago

Cyber Yuki Dec 30, 2022

@kostchei @SwiftOnSecurity God, I lived exactly the same thing.

"Please don't do this, we'll just do this the quick and dirty way for the exercise."

And then you try to look up the right way to do things... and you get dependency errors, the RSA certificate generator doesn't work, the whole system is not configured with a correct DNS and your team has no control over that, which means you can't implement HTTPS...

Want to use a seeded database for the passwords? Nuh huh! You can't do that because you need to encrypt the password on route and you don't have https! Which means you can't use seeds in the database!

Error after error, trouble after trouble, and you just give up and say "fuck it, I'll just obfuscate".

Then you go to your manager, explain the situation, and they tell you there's no time to fix that because upper management just moved the delivery date.

And by the time you finished implementing stuff, a new project came... and you give up.

The rest of the things that should be done correctly is in a backlog filled with bugs, annoyances and things that will never get done - like paying that damn license for that dual licensed library or whatever.

Security is almost never a priority.

nullrend Dec 30, 2022

@yuki2501 @kostchei @SwiftOnSecurity I've had that happen at pretty much every tech job I've had. Then people are pissed cos nothing is actually done ~* properly *~ and obviously the is no documentation

manan Dec 30, 2022

@yuki2501 @kostchei @SwiftOnSecurity I’d take these as small wins. Change is extremely hard in big orgs (I was foolish to think that I’d be able to make any difference but what I am realizing is that when looked at a time frame of 2 years, there’s significant improvement and adoption everywhere but every week feels like I am failing and making 0 impact). So I’ll take the small win of people realizing these issues and talking about them

GothPanda Dec 30, 2022

@yuki2501 @kostchei @SwiftOnSecurity You know what? I'll bite.

"It that's not the way it's supposed to be used, why the hell is that the way it's set up by default?!"

ooqaarx Dec 30, 2022

@yuki2501 @kostchei @SwiftOnSecurity what gets deferred never gets done no matter how true your intentions are.

Erik Ableson Dec 30, 2022

@yuki2501 @kostchei @SwiftOnSecurity This is why I always try to do everything the hard way on my own infrastructure/labs first in order to find all of those non-obvious dependencies. And boy-oh-boy are there a lot of them hidden away these days

Mark Tomczak Dec 30, 2022

@yuki2501 @kostchei @SwiftOnSecurity

I call this the paradox of security: security is antithetical to usability, unless your system is attacked.

Every feature added to increase security removes some corner use-cases (by definition), and some of those corner use-cases are legitimate (in the sense that a human observer would not consider them an attack). Restrict access to only trusted machines, and now your CEO can’t run a demo on someone else’s laptop at a hotel, for example.

So there’s huge incentive for a startup to cut corners here: every time they raise the difficulty of completing their goal, they up the chance they’ll run out of runway before they succeed, and the odds of them being attacked start low because nobody cares about their nonsense until they make it.

… knowing these incentives has significant impact on one’s risk assessment of how much one trusts any startup with any PII or other critical data.

Wendy (prev Jason) A Dec 31, 2022

@yuki2501 @SwiftOnSecurity @kostchei oh god! I felt this in my bones.

nullrend Dec 30, 2022

@kostchei @SwiftOnSecurity ah, so they train you to be lazy from the very start

SwiftOnSecurity Dec 30, 2022

@nullrend @kostchei Gotta keep us employed 💪

Kostchei Dec 30, 2022

@SwiftOnSecurity @nullrend
To quote my buddy Prasanna as we both looked at foolish/insecure things done in prod

"Permanent Employment!"

I'm still crying, can't tell if it's stress or joy

Agentic Thought Leadership Dec 30, 2022

@kostchei @SwiftOnSecurity I was doing an Azure training once and I literally watched someone RDP into my vm while I was doing a lab and change it's password.

Kostchei Dec 30, 2022

@malort_fatigue😂😭😆 @SwiftOnSecurity

David O'Brien (he/him/his)Dec 30, 2022

@kostchei @SwiftOnSecurity unfortunately, especially Azure is an insecure-by-default mindset. You can definitely make it very secure, but you have to put a lot of work in.
It's what most trainers, tutorials, blogs etc gloss over.
However, it ensures we keep being busy, and our own product sells 🫠

Wren 🐁Dec 30, 2022

@kostchei @SwiftOnSecurity when I learned Cisco gear in college, we'd rarely save configs on the routers in the lab, because clearing them later took valuable class time. Lo and behold, I forgot to do it on the CCNA the first time (and failed), and later made the same mistake at my job, taking out a client's network on a weekend after a power outage. Teach things right the first time, or there will be real consequences.