Seeking an Engineering Manager to lead our Java backend team. This is a hybrid role based in Chicago.
*About the Role:*
- Lead and mentor a team of backend Java developers.
- Design and implement scalable backend solutions.
- Collaborate with cross-functional teams for optimal performance and delivery.
*Requirements:*
- 5+ years of experience in backend development (Java).
- Proven leadership and team management skills.
- Familiarity with cloud services and system architecture.
Direct hiring manager, you can reach me at jnelson11 (at) gmail (dot) com
Spirit is such a pile of garbage that doing anything is better than doing nothing to spirit. We should make the judge fly Spirit for a few months and this merger will pass with flying colors.
JPMorgan Chase | All Levels, Software Engineering, Engineering Managers, Software architecture | Chicago, Columbus, Plano, Delaware, UK | ONSITE (Hybrid/Flexible)
I am looking for engineering managers and software engineers at all levels to help lead development efforts in our consumer & community banking line of business.
It’s true that the unpopular and weird opinion is to do an extremely lazy workout and barely walk a little bit each week and over time you will see a massive change. That’s it!
Security by obscurity is not security at all. Thinking you were safe because “people didn’t know about it” is not safety at all! Bad people are going to be bad. They don’t need AirTags for that. Knowing it can happen is far better for everyone to know about than living in a false sense of security.
As someone who has been in this field professionally for almost 20 years, my thoughts on this have changed quite a bit. The idea of condemning security through obscurity traces back to cryptography, not security in general. In cryptography, you want the security of your protocol to not depend on the protocol being secret, but the cryptographic keys themselves being secret. There are a lot of good reasons for this, the main one being that the whole point of cryptography is to create protocols that can survive public scrutiny and thus are more easy to implement and more robust.
So for example, without cryptography you'd need to secretly pass a message by courier who might take a secret route, constantly changing his route and delivery time. With cryptography, you can encrypt and sign the message, and then broadcast it over an insecure channel. The second option is much easier than the first. So the whole enterprise of cryptography is based on the principle of abandoning the confidentiality of the protocols themselves.
But there are many situations that require security which are outside of cryptography, because the security of the overall system cannot be reduced to high entropy secrets, and in that case, there is some security benefit that is obtained from obscurity.
For example, we are concerned about username enumeration because we understand users choose weak passwords that might be found in databases, so we do not publish usernames and consider it a vulnerability when usernames are leaked.
As another example, we consider information disclosure consisting of stacktraces leaked to the user to be a vulnerability.
Similarly, there are data centers that cannot just get up and move, and so locations and protocols of these installations are also kept secret.
So while it's true that things which are hard to change should not rely on secrecy in order to maintain their security level, and we should constantly be improving and hardening our protocols so that they can resist public scrutiny, nevertheless it's not the case that all protocols have been or are able to be improved so that their security properties are reducible to high entropy bit strings - in fact most systems don't fall into this category and most will never fall into this category - and for these systems, part of the security will continue to rely on obscurity, even though we are painfully aware of the drawbacks of this approach.
Even in cryptography, there can be value in obscurity.
For instance, suppose you have a system that uses the latest well-known encryption algorithm. You keep the keys secure. Of course.
Now suppose you have an alternative version of the system which super-enciphers all traffic with a fixed and physically protected key. Clearly, if that key is known then the system is no harder to attack than a system without the super-encryption. If the key to the super-encryption is not known, this adds considerable security against, say, successful key interception. Essentially, you are adding diversity of mechanism so that attackers have to multiply and diversify their attacks.
So security-by-obscurity can be a useful adjunct. It just can't be the whole story. Also, it isn't something you should talk about which means that the conversation about such techniques tends to be dominated by people who don't have practical experience with expert and well-financed adversaries.
The intelligence community is very well aware of these factors. That's why they try to protect the integrity of their hardware so much. That also why they don't talk much about the pragmatic aspects of their encryption machines.
Obscurity is not a good primary line of defense. But there's no reason why-- all else being equal-- it can't be part of a more robust setup. The more obstacles the better: like simply not using standard port #s for services so that it takes more than a quick scan of common ports to find something. Simple, and sure easy to defeat, but it takes you off the list for the lowest having fruit of targets.
Security by obscurity is actually pretty good security. Obviously but fool proof, but pretty good. Of course it depends on how good your obscurity is.
Plain text passwords are not very obscure. And thus is mainly where the phrase comes from.
Avoid any advice that touts itself as gospel! Do your own DD for the product or services you’re building. Maybe you’re never going to hit more than 100 users in total or maybe you’re building a static website. Take some time and evaluate the pros and cons of your architecture and seek advice from those who have come before you!
Amazon Web Services - AWS CloudWatch | Sr Software Engineer | Herndon, Virginia + Washington DC | Full-time
Join us building a software solution that runs on hundreds of millions of virtual machines and containers to help diagnose the health of the cloud infrastructure and microservices running on top of it. Our customers includes every Amazon internal service teams and the external customers who eagerly wants to monitor and diagnose their applications. You will use knowledge in both Linux and Windows and sophisticated programing skill in GoLang to write high performance and secure software. Don't know GoLang? No problem, we'll train you. You will often contribute your code to the open source community and interact with programmers from all over the world.
If this sounds interesting to you, please feel free to reach out directly to me, the hiring manager, to learn more and apply!
