Anon witnesses excellent security

⁨1054⁩ ⁨likes⁩

Submitted ⁨⁨1⁩ ⁨day⁩ ago⁩ by ⁨Object@sh.itjust.works⁩ to ⁨greentext@sh.itjust.works⁩

https://sh.itjust.works/pictrs/image/f6d87861-6cbd-48b4-8ffe-0da264ee9e61.jpeg

source

Comments

Sort:hotnew top

napkin2020@sh.itjust.works ⁨1⁩ ⁨day⁩ ago

this is supposed to be more secure because it costs money

It makes blaming someone really easy though and that’s all that matters in a corporate world.

source
- 9point6@lemmy.world ⁨1⁩ ⁨day⁩ ago
  This is legitimately it. The same reason corporations often pay for Linux (e.g. RHEL)—the people in charge want to be able to pick up a phone and harass someone until they fix their problem. They simply can’t fathom any alternative approach to managing dependencies.
  
  source
  - InputZero@lemmy.world ⁨1⁩ ⁨day⁩ ago
    Not just pick up the phone and harass someone but to also have someone to press a lawsuit against if things go really wrong. With free software the liability typically ends at the user which means all they can do is fire the employee and eat the loss. Suppose now corporate paid for it, well now there is a contract and a party that can be sued.
    
    source
    -> View More Comments
- schnurrito@discuss.tchncs.de ⁨1⁩ ⁨day⁩ ago
  The greentext reminds me of this FAQ entry: www.chiark.greenend.org.uk/~sgtatham/…/faq.html#f…
  
  A.9.17 As one of our existing software vendors, can you just fill in this questionnaire for us?
  
  We periodically receive requests like this, from organisations which have apparently sent out a form letter to everyone listed in their big spreadsheet of ‘software vendors’ requiring them all to answer some long list of questions […]
  
  We don’t make a habit of responding in full to these questionnaires, because we are not a software vendor.
  
  A software vendor is a company to which you are paying lots of money in return for some software. They know who you are, and they know you’re paying them money; so they have an incentive to fill in your forms and questionnaires […] because they want to keep being paid.
  
  […]
  
  If you work for an organisation which you think might be at risk of making this mistake, we urge you to reorganise your list of software suppliers so that it clearly distinguishes paid vendors who know about you from free software developers who don’t have any idea who you are. Then, only send out these mass mailings to the former.
  
  source
  - Laser@feddit.org ⁨1⁩ ⁨day⁩ ago
    I read only part of the URL and thought this was about puzzles. Never knew the guy made Putty as well
    
    source
- lessthanluigi@lemmy.sdf.org ⁨1⁩ ⁨day⁩ ago
  So the corporations are just The Gang in It’s Always Sunny In Philadelphia?
  
  source
- Object@sh.itjust.works ⁨1⁩ ⁨day⁩ ago
  Would be really funny if they still get fucked over because of some fine print in the disclaimer
  
  source
  - Saledovil@sh.itjust.works ⁨1⁩ ⁨day⁩ ago
    Or maybe the vendor goes with “take the money and run”.
    
    source
stoy@lemmy.zip ⁨14⁩ ⁨hours⁩ ago
This has nothing to do with security, and everything to do with liability.

You can’t really sue an open source project using a proper license, they disclaim any liability or warranty, meaning the buck stops with you.

If you hire a software development firm and pay for them to build software for you, you will have a different license, the software company can just repackage open source software into their own UI and branding, take the money and declare bankruptcy if their customers try to sue them.

The customers are mostly happy, they get to tick the box that they have a support contract for the software and a company is liable if shit hits the fan. The software development company is happy, they get money for doing very little actual work.

The open source project probably doesn’t know about the abuse of the license and thus mostly doesn’t care.

source
- rmrf@lemmy.ml ⁨5⁩ ⁨hours⁩ ago
  I’ve been in these meetings and you’re on the money. Insurance (the concept, not necessarily the product) is almost always the reason any time you see some stupid policy.
  
  When I was young and naive I thought the technologically correct way to do things was the best. In the business world that’s seldom the case, though.
  
  source
- JackbyDev@programming.dev ⁨4⁩ ⁨hours⁩ ago
  At one place I worked we couldn’t use eclipse licensed things because the license mentioned indemnification or something. I don’t really understand what that meant because I think some other licenses mentioned it too. Plus literally all of us used Eclipse IDE.
  
  source
frezik@lemmy.blahaj.zone ⁨1⁩ ⁨day⁩ ago
It’s “more secure” because there’s a specific company to blame when it goes wrong.

source
- DarkDarkHouse@lemmy.sdf.org ⁨1⁩ ⁨day⁩ ago
  Security through liability
  
  source
  - Landless2029@lemmy.world ⁨1⁩ ⁨day⁩ ago
    The bigger you get the more this is a thing actually.
    
    source
- Empricorn@feddit.nl ⁨4⁩ ⁨hours⁩ ago
  That would make some sense if the company was purchasing a solution, not a tool. Or a contract/SaaS model or something. Instead, it’s like banning known screwdriver brands and expecting people to still have no problem loosening and tightening screws…
  
  source
- drcobaltjedi@programming.dev ⁨1⁩ ⁨day⁩ ago
  Yeah, i worked briefly at multinational japanese motor company and this was their logic. I was hired as a software developer contractor and HQ had rules stating, no open source software, no free software and the one that puzzled me the most no in house executables (WHY THE FUCK DID THEY HIRE ME?)
  
  source
  - cows_are_underrated@feddit.org ⁨1⁩ ⁨day⁩ ago
    How were you supposed to test your software if you weren’t allowed to create an executable?
    
    source
    -> View More Comments
  - TheBat@lemmy.world ⁨1⁩ ⁨day⁩ ago
    Honda?
    
    source
    -> View More Comments
- ChaoticNeutralCzech@feddit.org ⁨5⁩ ⁨hours⁩ ago
  Sure but what if they have “we can at best refund you, no more liability from us” in the EULA?
  
  source
- shalafi@lemmy.world ⁨1⁩ ⁨day⁩ ago
  My old boss called that “one neck to choke”.
  
  source
Randelung@lemmy.world ⁨8⁩ ⁨hours⁩ ago
Had that discussion before. Was attacked because I use a f&os lib from GitHub instead of a paid and licensed one, the latter somehow meaning it’s error free. Spoiler alert: it wasn’t. Or at least their usage wasn’t.

source
ashenone@lemmy.ml ⁨1⁩ ⁨day⁩ ago
Every day I wake up I thank God I’m not an MBA 🙏

source
- lka1988@sh.itjust.works ⁨16⁩ ⁨hours⁩ ago
  Sometimes I wish I was a piece of shit so I didn’t need to worry about money.
  
  source
- Flax_vert@feddit.uk ⁨21⁩ ⁨hours⁩ ago
  MBAs would just buy an LLM software subscription to fix it
  
  source
- ChickenLadyLovesLife@lemmy.world ⁨22⁩ ⁨hours⁩ ago
  “This fucking paycheck! What am I going to do with all this money?”
  
  source
Rai@lemmy.dbzer0.com ⁨18⁩ ⁨hours⁩ ago
My org told me “you can’t install open source software”

Everyone uses Firefox

I just want OpenShell

source
DickFiasco@sh.itjust.works ⁨1⁩ ⁨day⁩ ago
Worked for a company that had a similar policy against free software, but simultaneously encouraged employees to use open-source software to save money. I don’t think upper management was talking to the IT department.

source
Sylvartas@lemmy.dbzer0.com ⁨1⁩ ⁨day⁩ ago
There is an entire sub-industry and probably thousands of jobs being propped up by this stupid way of thinking about software. I can’t be mad at it because it pays the bills for a few of my friends…

source
- Landless2029@lemmy.world ⁨1⁩ ⁨day⁩ ago
  I could really see companies just fork open source and give it a tweak like UI or new switches…
  
  Terrible.
  
  source
  - wer2@lemmy.zip ⁨1⁩ ⁨day⁩ ago
    At one point my company made us buy Eclipse from a vendor because free software was not allowed. It had no tweaks or support, just out of date Eclipse that I had to wait for purchasing to get
    
    source
    -> View More Comments
  - Skullgrid@lemmy.world ⁨1⁩ ⁨day⁩ ago
    
    I could really see companies just fork open source and give it a tweak like UI or new switches…
    
    They should not be able to do that if it comes under non commercial licence
    
    source
    -> View More Comments
  - Flax_vert@feddit.uk ⁨21⁩ ⁨hours⁩ ago
    New wealth redistribution method?
    
    source
neidu3@sh.itjust.works ⁨1⁩ ⁨day⁩ ago
My previous employer was bought by a huge company. I liked it in the small company, because I had freedom to do it what was needed without much questions, and I was trusted to make the relevant decisions.

When we came under the big corpo, we got an email of all the software we used/needed, so that it could be added to the whitelist that big corpo worked with. Anything not in the whitelist simply couldn’t run.

I gave them the list, but spoke to my on-shore It guy that out in the field we often needed to install something that we didn’t need before on short notice, and waiting for a ticket to be resolved for an administrative matter had the potential to stop production.

They found it easier just to make an exception for my work PC. I just had the promise not to VPN in to the office while running “weird” stuff, otherwise the higher ups would get upset.

That’s fine. I had my own VPN for only the stuff I needed anyway.

source
- underscores@lemmy.zip ⁨1⁩ ⁨day⁩ ago
  “we need this NOW”
  
  > Package I install is immediately black listed by IT, I submit a high priority ticket and I don’t hear from them for days, maybe weeks
  
  Like what the fuck can I do
  
  source
  - apftwb@lemmy.world ⁨1⁩ ⁨day⁩ ago
    Yes, but does one of the existing whitelisted executables fulfill the same function?
    
    source
    -> View More Comments
TootSweet@lemmy.world ⁨19⁩ ⁨hours⁩ ago
Honestly, a policy of “no free-of-charge software installed on workstations except FOSS” might improve security a bit and probably without doing all that much damage to the day-to-day workings of the company.

For that matter, if my employer instituted a policy of “no software except FOSS”, my own particular job probably would be a surprisingly small adjustment. As long as they were willing to do the work to set up infrastructure and/or let us switch to FOSS alternatives that require third-party server providers as necessary. About all I can think of that’s installed on my work machine that’s proprietary is:

Zoom

A paid corporate VPN client

A random program that I use to authenticate to Kubernetes clusters in use where I work (so I can use Kubectl)

Chrome

The Client Management software my company uses (the software they use to remotely administrate the company-provided machines – force install shit without telling you, spy on you, nag people who have computers that aren’t actually used to return them, wipe your computer if you report it stolen, etc)

And, of course, bios, proprietary firmware blobs, etc

Beyond that, I honestly can’t think specifically of anything else proprietary installed on my work machine. My personal computers have far less proprietary software installed than the above list.
source
- derpgon@programming.dev ⁨19⁩ ⁨hours⁩ ago
  Not related, but did you ever use k9s? Quite nifty CLI tool to control Kube, albeit not on a very advanced level, it helped me a lot to not get drowned in Kube commands.
  
  source
shalafi@lemmy.world ⁨1⁩ ⁨day⁩ ago
My last boss got rid of the pfSense routers because “open source is not secure”. I argued that pfSense has been vetted over and over and over again. Nope. “Everyone can see the source code.” That’s the fucking point!

TBF, pfSense isn’t the fastest routing, but at our small company is was more than sufficient.

source
- MehBlah@lemmy.world ⁨1⁩ ⁨day⁩ ago
  For a small to medium sized business pfsense is the only solution that makes sense. The only requirement is that you have a actual sysadmin on staff and not a vendor jockey.
  
  source
  - wer2@lemmy.zip ⁨1⁩ ⁨day⁩ ago
    OPNsense is also a viable alternative.
    
    source
    -> View More Comments
QueenHawlSera@sh.itjust.works ⁨23⁩ ⁨hours⁩ ago
Everyday my misnathropy is justified

source
- ChickenLadyLovesLife@lemmy.world ⁨22⁩ ⁨hours⁩ ago
  I majored in Anthropology in college. I should have done Misanthropology.
  
  source
  - InternetCitizen2@lemmy.world ⁨18⁩ ⁨hours⁩ ago
    You did; just need to apply it.
    
    source
    -> View More Comments
- Vanilla_PuddinFudge@infosec.pub ⁨22⁩ ⁨hours⁩ ago
  Print the fucking t-shirt man. I’ll buy one for every day of the week.
  
  source
psmgx@lemmy.world ⁨1⁩ ⁨day⁩ ago
It’s not more secure, it’s so they can offload blame and have people to sue if/when something ugly happens. Liability control, essentially.

We had to pay for fucking Docker container licenses at my last job because we needed an escalation to the vendor in case our SMEs couldnt handle things (they could), and so we had a vendor to blame if something out of our control happened. And that happened: we sued Mirantis when shit broke.

source
- brbposting@sh.itjust.works ⁨14⁩ ⁨hours⁩ ago
  Hey PS: search engines do return a result for a suit against that company so potential self-doxxing territory (but maybe you’re open in your comment history IDK)
  
  (Don’t have a PACER login so couldn’t tell what was up with the suit that came back when I checked this morn, also could’ve been an unrelated suit)
  
  source
- brbposting@sh.itjust.works ⁨22⁩ ⁨hours⁩ ago
  Ever hear how the suit turned out, generally?
  
  source
radix@lemmy.world ⁨1⁩ ⁨day⁩ ago
“If you’re not paying for the product, then you are the product.”

The phrase has its uses, but shit like this is what happens when it’s taken to the extreme.

source
- wer2@lemmy.zip ⁨1⁩ ⁨day⁩ ago
  Often times when you pay for the product, you are still the product.
  
  source
  - ChickenLadyLovesLife@lemmy.world ⁨22⁩ ⁨hours⁩ ago
    I’m the product in the sense that poo is the product of the intestines.
    
    source
  - sleen@lemmy.zip ⁨1⁩ ⁨day⁩ ago
    That is just a fact at this point
    
    source
- SaharaMaleikuhm@feddit.org ⁨1⁩ ⁨day⁩ ago
  The simple exception is free software (free as in freedom). It’s really not that complicated.
  
  source
- Jumuta@sh.itjust.works ⁨1⁩ ⁨day⁩ ago
  Digital security education in schools actually give people brain tumour ffs
  
  source
psycho_driver@lemmy.world ⁨1⁩ ⁨day⁩ ago
Don’t forget your new 32 character/symbol/number/nordic rune passwords that will need to be changed every 17 days.

source
- fibojoly@sh.itjust.works ⁨6⁩ ⁨hours⁩ ago
  Oh you gonna love those new directives for SSL certificates we got cooking!
  
  source
- AllHailTheSheep@sh.itjust.works ⁨23⁩ ⁨hours⁩ ago
  I hate sites that make me constantly change passwords. it’s been shown time and time again that making users change passwords often decreases security by a pretty large factor, and yet a lot of sites still do it
  
  source
  - MrsDoyle@sh.itjust.works ⁨22⁩ ⁨hours⁩ ago
    Our workplace did that. You had to change every month and you weren’t allowed to just add a digit. It meant that people started writing their passwords on post-its stuck to the monitor.
    
    Mind you, back in the 90s your password was the same as your username. It was very handy, because if someone went home leaving a document locked, you could just log in and unlock it. Our first “proper” IT professional was horrified.
    
    source
  - brbposting@sh.itjust.works ⁨22⁩ ⁨hours⁩ ago
    Interesting, stopped seeing this a while back. Forced change after the inevitable hack though of course
    
    source
    -> View More Comments
- wolframhydroxide@sh.itjust.works ⁨22⁩ ⁨hours⁩ ago
  And don’t forget required 2-factor authentication, in an age where that becomes 1-factor authentication as soon as someone has your phone, because both factors are accessible there!
  
  2FA is utterly worthless in the age of smartphones, and whenever my employer tries to implement it, I refuse and tell them that, if they want me to do 2FA, they can either provide me with a work phone, or they can give me a USB key that is just going to sit in my desk drawer.
  
  source
  - Gutek8134@lemmy.world ⁨5⁩ ⁨hours⁩ ago
    There are other ways to 2FA, such as having a physical key on yourself /srs
    
    source
    -> View More Comments
  - a_wild_mimic_appears@lemmy.dbzer0.com ⁨22⁩ ⁨hours⁩ ago
    which still requires someone to swipe your phone and the owner not recognizing it long enough to do a remote wipe. I am not someone who hangs on the smartphone 8 hours per day, and even i would realize my phone is gone within 15 - 30 minutes, giving an attacker a pretty small time window to act.
    
    source
qjkxbmwvz@startrek.website ⁨1⁩ ⁨day⁩ ago
I am becoming increasingly more appreciative of the fact that I have root access to “my” company provided work device.

source
- sugar_in_your_tea@sh.itjust.works ⁨1⁩ ⁨day⁩ ago
  My boss went so far as to buy Macs because we have “special needs” (we don’t) because otherwise we’d be forced to use the corporate locked down crap. Root access sure is nice.
  
  source
  - ChickenLadyLovesLife@lemmy.world ⁨22⁩ ⁨hours⁩ ago
    I had to move to a Mac because of iOS development. Now I’m stuck with a Mac because the fucking thing refuses to break.
    
    source
  - Tuxman@sh.itjust.works ⁨1⁩ ⁨day⁩ ago
    Wait till they learn about Jamf Pro and Mosyle 😜 (Well… granted they also have to deploy it correctly after…)
    
    source
    -> View More Comments
misteloct@lemmy.dbzer0.com ⁨1⁩ ⁨day⁩ ago
Vim? Oh wow. I’d be looking into a USB Keyboard that types the entire source code of vim into the machine, assuming there isn’t an easier option.

source
- Flax_vert@feddit.uk ⁨21⁩ ⁨hours⁩ ago
  Fork vim, rename it, sell it back to your company
  
  source
  - KindnessIsPunk@lemmy.ca ⁨20⁩ ⁨hours⁩ ago
    Donate cost back to vim
    
    source
    -> View More Comments
sugar_in_your_tea@sh.itjust.works ⁨1⁩ ⁨day⁩ ago
Nice. My response is my 2-week’s notice.

source
daggermoon@lemmy.world ⁨23⁩ ⁨hours⁩ ago
This pisses me off

source
southernbeaver@lemmy.world ⁨1⁩ ⁨day⁩ ago
Oh my god. My colleagues were making fun of postgres users. They didn’t bother doing a Google search.

source
over_clox@lemmy.world ⁨1⁩ ⁨day⁩ ago
Funny, if one shares a screenshot of a 4chan post that says the word ‘retard’, it gets upvoted, but if you post a comment that says Google AI is retarded, you get downvoted into oblivion.

I’ll never fully understand the modern internet, seems like double standards to me.

source