SwiftOnSecurityDec 5, 2022
Microsoft seeing people use their products with the default settings they ship to customers
Show threadKostcheiDec 30, 2022
@SwiftOnSecurity a year+ ago I did azure security training, provided by Microsoft, in singapore, to folks they knew were security professionals ...
And every session of the multi-week epic involved setting up resources groups, servers, storage and users with credentials or settings that were just plain insecure. "we'll just do X- you wouldn't do this in production but for training purposes we'll do this quick work around" every time, every exercise.
"here's an rdp link" " copy this password" "open this to internet so we can X"
Teach / train /ship by default.. the way you want people to use it-- this must be, securely. Anything else is an abomination, a taint on the future... /rantoff
Show threadverb (printfJess) 🦄Dec 30, 2022
@kostchei @SwiftOnSecurity You'll get the same thing with IBM, Google, etc because big tech firms only run conferences for marketing purposes. They're organised by marketing and they want business decision makers to adopt their products. That's the only reason why they exist.
Show threadverb (printfJess) 🦄Dec 30, 2022

@kostchei @SwiftOnSecurity That said, I went to an awesome IBM Think event - pre covid era - where they had actual ML experts teaching us, on the tech track, how to use IBM Cloud practically. I learnt some stuff, and they were very real and open about limitations and hybrid technology. Brilliant.

All others, not as great.

Show threadKostchei
@verb @SwiftOnSecurity
This was private training provided only to the security team at the company I work for, directly by microsoft, as part of a deal to get us to use more of their cloud. (I think a dozen of us did the training)
And it still amounted to teaching bad habits mixed with advertising- the trainer was a good guy, knew his stuff. A security person's security person . But the course content... I couldn't believe it
Dec 30, 2022 at 7:41amWeb
Show threadverb (printfJess) 🦄Dec 30, 2022

@kostchei @SwiftOnSecurity When you think about it. The experts don't spend their time giving talks. They do experty stuff, often in higher paying less client facing roles. Occasionally experts will take time "off" to give talks.

But if you can see the value in the tech, while also seeing gaps, talk about them.