Mastodawn

SwiftOnSecurity Dec 5, 2022

Microsoft seeing people use their products with the default settings they ship to customers

Kostchei Dec 30, 2022

@SwiftOnSecurity a year+ ago I did azure security training, provided by Microsoft, in singapore, to folks they knew were security professionals ...
And every session of the multi-week epic involved setting up resources groups, servers, storage and users with credentials or settings that were just plain insecure. "we'll just do X- you wouldn't do this in production but for training purposes we'll do this quick work around" every time, every exercise.
"here's an rdp link" " copy this password" "open this to internet so we can X"
Teach / train /ship by default.. the way you want people to use it-- this must be, securely. Anything else is an abomination, a taint on the future... /rantoff

@kostchei @SwiftOnSecurity Preach it.

I once proposed a training course about how to secure SQL Server to the point stoneage mindset auditors couldn't find a fault.

Better part of a week required if we made them do labs properly.

Nope, was made to cut it down to half-day of training, and two half-day of labs (second one optional for juniors)

Cyber Yuki Dec 30, 2022

@venzann @kostchei @SwiftOnSecurity It's almost as if the problem was...

capitalism 🤔

Until corporations are held accountable with severe economic penalties for not doing their homework, we'll keep finding this over and over because instead of investing in security ("it's cheaper to pay the fines"), top execs prefer to maximize their profits.

Kostchei Dec 30, 2022

@yuki2501 @venzann @SwiftOnSecurity
Honestly, 1990's me would tell you " it is a way of ensuring those with credentials from Microsoft are in demand and that MS gets folks doing it's courses. It's complexity and failure by design"
Now I think it was just cruddy/flawed and not by design.

Alexander Dec 30, 2022

@venzann @kostchei @SwiftOnSecurity @yuki2501 or it's that resources are limited and short-term thinking prevails in every system. If anything this was worse under communism. The best solution might be to properly penalize for negative externalities like this and create a incentive structure that uses capitalism to get the desired outcome.

Tröglödÿt Dec 30, 2022

wow, such optimism

@venzann @kostchei @SwiftOnSecurity @yuki2501

Alexander Dec 30, 2022

@yuki2501 @troglodyt @venzann @SwiftOnSecurity @kostchei No, not optimistic at all, just even more pessimistic to throw out the baby with the bathwater and still accomplish nothing. Nothing will happen though at all due to regulatory capture. Witu communism nothing would even need to be captured though which is even worse

Tröglödÿt Dec 30, 2022

@ajmurmann
your fear of a post-capitalist, class-less society that is not built on capital accumulation is funny and also quite disturbing

the "baby" is right now causing incomprehensible suffering to a degree and on a scale that makes the disasters of the hebrew bible look like jokes, and most of the people alive are participating knowingly in this

@yuki2501 @venzann @SwiftOnSecurity @kostchei

Tröglödÿt Dec 30, 2022

@ajmurmann
and no, your religious hope that somehow capitalism will overcome itself spontaneously and suddenly stop eradicating our habitat isn't pessimism, it's optimism fueled by a fanatic, religious fervour

please join us apostates

@yuki2501 @venzann @SwiftOnSecurity @kostchei

Tröglödÿt Dec 30, 2022

@ajmurmann
if by communism you mean the attempts at replacing the dictatorship of the market with dictatorships of the proletariat in soviet and china and you also seriously think we aren't way, way worse today than they were, that's also a religious opinion

@yuki2501 @venzann @SwiftOnSecurity @kostchei

Alexander Jan 1, 2023

@venzann @troglodyt @yuki2501 @SwiftOnSecurity @kostchei life today by almost any metric you can think of is better than it was twenty years ago.

I'm fairly convinced that as long as there is scarcity we are gonna either have economic or social pressure. I do hope that once we reach post-scarcity we can alleviate those. But that's far out.

Alexander Jan 1, 2023

@troglodyt @kostchei Do you have any pointers to write-up as on how to do away with those pressures while being highly resource constraint?

On the original point here about software projects cutting corners, I think it's always gonna happen. Even if it's just excited folks waiting for your software. Time is limited and some stuff needs to get pushed off and abstract-seeming risks are gonna need the most likely to get pushed off.

Tröglödÿt Jan 1, 2023

@ajmurmann
not sure what you mean but people in it that skimp on quality and craft should be kicked out and barred from working in the field, just like lawyers and bean counters do, and if we don't the state will try to regulate us instead and that will inadvertently make good craft criminal

Tröglödÿt Jan 1, 2023

@ajmurmann
ok so the metric 'capitalist crisis is not good', how are we doing? the dot com bubble popped twenty years ago, and during these decades we've had the lehman crash, negative interest rates, us openly waging a global war on the rest of us, very deadly pandemics has returned after chilling for a century

not even computers are much better today than they were then, except electricity consumption and size

@venzann @yuki2501 @SwiftOnSecurity @kostchei

Tröglödÿt Jan 1, 2023

@ajmurmann
also scarcity isn't an issue. the problem since the fifties or so is to make people consume more even though they don't need to, e.g. we're wasting insane amounts of good food to keep it out of the hands of the poor

@venzann @yuki2501 @SwiftOnSecurity @kostchei

Elishevacarl Dec 30, 2022

@venzann @SwiftOnSecurity @ajmurmann @kostchei @yuki2501 or hear me out on this…. Have a pro-active regulatory regime with very active auditors who show up like the Spanish Inquisition and shut the whole thing down until they are satisfied. You know like real government. You can write what they audit for

sailingbikeruk Dec 30, 2022

@venzann bet they still claim to “take your security seriously” though 😔

elle mundy Dec 30, 2022

@venzann @kostchei @SwiftOnSecurity aws would do the same stuff at their loft in nyc a few years ago