Yes, 'cyber' security has devolved to box checking and cargo culting in many orgs. But what's your counter on trying to fix the problems that every tech stack or new SaaS product comes without of the box?
For most people when their Netflix (or HN) password gets leaked that means every email they've sent since 2004 is also exposed. It might also mean their 401k is siphoned off. So welcome the annoying and checkbox-y MFA requirements.
If you're an engineer cutting code for a YC startup -- Who owns the dependancy you just pulled in? Are you or your team going to track changes (and security bugs) for it in 6 months? What about in 2 or 3 years?
Yes, 'cyber' security brings a lot of annoying checkboxes. But almost all of them are due to externalities that you'd happily blow past otherwise. So -- how do we get rid annoying checkboxes and ensure people do the right thing as a matter of course?
Actual accountability. Do not let companies be like "Well, we were SOC2 compliant, this breach is not our fault despite not updating Apache Struts! Tee Hee" When Equifax got away with what was InfoSec murder by 6 months of jail time suspended, Executives stopped caring. This is political problem, not technology one.
>So -- how do we get rid annoying checkboxes and ensure people do the right thing as a matter of course?
By actually having the power to enforce this, if you pull our SBOM, realize we have a vulnerability and get our Product Owner to prioritize fixing it even if takes 6 weeks because we did dumb thing 2 years ago and tech debt bill has come due. Otherwise, stop wasting my time with these exercises, I have work to do.
Not trying to be mean but that's my take with my infosec team right now. You are powerless outside your ability to get SOC2 and we all know this is theater, tell us what piece of set you want from me, take it and go away.
We should be stopping leaks, but we also need to reduce the value of leaked data.
Identity theft doesn't get meaningfully prosecuted. Occasionally they'll go after some guy who runs a carding forum or someone who did a really splashy compromise, but the overall risk is low for most fraudulent players.
I always wanted a regulation that if you want to apply for credit, you have to show up in person and get photographed and fingerprinted. That way, the moment someone notices their SSN was misused, they have all the information on file to make a slam-dunk case against the culprit. It could be an easier deal for lazy cops than going after minor traffic infractions.
The problem with "identity theft" specifically is that, in itself, it's just a legal term for allowing banks to save on KYC by letting them transfer liability to society at large.
If someone uses your SSN to take a loan in your name, it shouldn't be your problem - in the same way that someone speeding in the same make&model of the car as yours shouldn't be your problem, just because they glued a piece of cardboard over their license plate and crayoned your numbers on it.
> For most people when their Netflix (or HN) password gets leaked that means every email they've sent since 2004 is also exposed. It might also mean their 401k is siphoned off. So welcome the annoying and checkbox-y MFA requirements.
Not true. For most people, when their Netflix or HN password gets leaked, that means fuck all. Most people don't even realize their password was leaked 20 times over the last 5 years. Yes, here and there someone might get deprived of their savings (or marriage) this way, but at scale, approximately nothing ever happens to anyone because of password or SSN leaks. In scope of cybersec threats, people are much more likely to become victims of ransomware and tech support call scams.
I'm not saying that cybersec is entirely meaningless and that you shouldn't care about security of your products. I'm saying that, as a field, it's focused on liability management, because that's what most customers care about, pay for, and it's where the most damage actually manifests. As such, to create secure information systems, you often need to work against the zeitgeist and recommendations of the field.
EDIT:
> This is the ultimate nihilistic take on security.
I don't believe it is. In fact, I've been putting efforts to become less cynical over last few months, as I realized it's not a helpful outlook.
It's more like, techies in cybersecurity seem to have overinflated sense of uniqueness and importance of their work. The reality is, it's almost all about liability management - and is such precisely because most cybersec problems are nothingburgers that can be passed around like a hot potato and ultimately discharged through insurance. It's not the worst state of things - it would be much worse if typical cyber attack would actually hurt or kill people.
This really resonated with me because I'm also working to avoid becoming more cynical as I gain experience and perspective on what problems "matter" and what solutions can gain traction.
I think in this case the cognitive dissonance comes from security-minded software engineers (especially the vocal ones that would chime in on such a topic) misunderstanding how rare their expertise is as well as the raw scope of risks that large corporations are exposed to and what mitigations are sensible. If you are an expert it's easy to point at security compliance implementation at almost any company and poke all kinds of holes in specific details, but that's useless if you can't handle the larger problem of cybersecurity management and the fallout from a mistake.
And if you zoom out you realize the scope of risk introduced by the internet, smart phones and everything doing everything online all the time is unfathomably huge. It's not something that an engineering mentality of understanding intricate details and mechanics can really get ones head around. From this perspective, liability and insurance is a very rational way to handle it.
As far as the checklists go, if you are an expert you can peel back the layers and realize the rationales for these things and adjust accordingly. If you have competent and reasonable management and decision makers then things tend to go smoothly, and ultimately auditors are paid by the company, so there is typically a path to doing the right thing. If you don't have competent and reasonable management then you're probably fucked in unnumerable ways, such that security theater is the least of your worries.
I’m a fellow cyclist in SF and can only wholeheartedly second this. To add some extra anxiety, I’m usually riding a cargo bike, ferrying a child to or from daycare.
I still remember the first time I went through a four-way stop intersection and saw a driverless car idling, waiting for its turn. It was weird and nerve-wracking. Now… I’d much prefer that to almost any other interaction at the same spot.
It's really interesting seeing all the comments from cyclists regarding Waymos. I currently live in a Waymo-less city and they weren't common enough in SF when I was biking there to be a big factor but I remember some harrowing moments with human drivers (without precious cargo - that sounds extra scary!). I'd be curious to try it again and am pleasantly surprised to hear it makes such a big difference!
I've got conflicted feels about Tailscale. I love their product and a bunch of the people I know use their free tier, including myself.
But their enterprise strategy destroys their good will. I can only assume it's focused on killing old school VPN products. The free tier that we love is a marketing expense. And it’s not even a conversion play.
People are complaining about ~10/user/month -- add basic things that you'd need to manage more than 10 peeps (SAML/SCIM support) and you're talking ~20/user/month. For us, a small sub 200 person company, they immediately lost their chance. We have lots of problems in the security space, some we're willing to spend more than 20/user/month to solve. Legacy network access is not one of them.
Assuming they wouldn't want to take on server maintenance workload, wouldn't something like NetBird be a better fit? The free version has ACL already, the $5/user/month has OIDC integration, and the business version (MDM integration and auditing) is $12. Then the server is still open source so if they wanted to transition to doing it themselves they still would have that option down the road.
I doubt it’s a real threat but it would be a country that would happily unsubscribe from US export bans. So Israel or Singapore would be two good options for the chip industry. South Korea or Switzerland you could argue for but are probably less realistic. Maybe Canada now, lol.
As well as being disingenuous your whole argument is beside the point. ASML isn’t threatening to move to the US.
The current administration has created day light between the US and EU governments and ASML is using this leverage to try and get the Dutch to ignore US export bans.
Here are some choice exerts so you can continue to avoid clicking on TFA:
> The pressure on asml began to build in 2019, when the Dutch government, at America's urging, barred the company from exporting its advanced euv machines to China... President Donald Trump's second term brings the threat of still tighter controls
> Referring to the Dutch government's willingness to follow America's lead on export bans, Mr Fouquet says that Europe must "decide for itself what it wants" and "should not be dictated to by anyone else".
Did you even read the article? ASML is chaffing against American-led export regulations. The Trump government is still very keen on restricting China’s ability to make cutting edge chips.
The threat to move is probably empty. But it’s not a threat to move to the place that is generating their head winds.
I mean maybe! But only if you've removed all of the usage of this compromised `tj-actions/changedfiles` action, across all your repos and their branches.
Otherwise, if you continue to use it and it will run anytime there has been a push. Potentially on any branch, not just `main`! Depending on your GH config.
Unless you've blocked `tj-actions/changed-files` you're banking on the bad actor not coming back tonight and making malicious commit that exfils those secrets to pastebin.com.
You can pin GitHub Actions to specific versions or specific commits. But note you can change version tags arbitrarily. In this specific case, the bad actor changes all of the version tags to point to their malicious commit:
https://github.com/tj-actions/changed-files/tags
The repo looks like it uses itself in its workflows, so it's possible that the commit being merged resulted in the necessary credentials being leaked to the attacker.
No idea. But they didn't do a great job -- they broke the action, which caused build failures that people were going to notice.
The malicious commit only landed at 09:57 PDT today (March 14) in one specific action (out of a number that is quite popular). Maybe they were planning on coming back and doing proper exfil?
Yes, 'cyber' security has devolved to box checking and cargo culting in many orgs. But what's your counter on trying to fix the problems that every tech stack or new SaaS product comes without of the box?
For most people when their Netflix (or HN) password gets leaked that means every email they've sent since 2004 is also exposed. It might also mean their 401k is siphoned off. So welcome the annoying and checkbox-y MFA requirements.
If you're an engineer cutting code for a YC startup -- Who owns the dependancy you just pulled in? Are you or your team going to track changes (and security bugs) for it in 6 months? What about in 2 or 3 years?
Yes, 'cyber' security brings a lot of annoying checkboxes. But almost all of them are due to externalities that you'd happily blow past otherwise. So -- how do we get rid annoying checkboxes and ensure people do the right thing as a matter of course?
reply