TrickstaPriest reacted to Simon in Political Discussion Thread (With Rules)
I think that the article shows a lack of understanding of the breadth of the security field, focusing only on auditors. Auditors monitor/check to ensure compliance with security policy. Security policy is based on best practices and is intended to protect an organization from the human factor -- legitimate users who are compromised. This is an important (and very difficult) area to protect....but is far from the whole of security.
Auditors do not (and are generally not qualified to) check for vulnerabilities within the systems that their security policies are looking to protect. Again, their security policies look to protect from the human factor -- George down in finance browses to the wrong site (or clicks the wrong link, etc.) on a corporate system....that kind of thing.
Hackers (ethical or otherwise) look for and exploit vulnerabilities both at the software/hardware level and the wetware level -- whatever is going to get the access that they are looking for. Security policies will help to keep the legitimate users of a given system from unintentionally providing that access, but that's an extremely tall order and not even half of the battle. An organization needs to know (and fix or at least isolate) the vulnerabilities at a software and hardware level in their systems...and for many, that's a very expensive and invasive proposition. Companies like Colonial Pipeline have systems that were designed a LONG time ago, generally jerry rigged into providing networked/internet access. Security policies that are properly designed and implemented can help to limit the extent of a given breach, but don't really address the underlying vulnerabilities that may have lead to the breach in the first place. This doesn't devalue them, it just means that they're only part of the solution.
TrickstaPriest reacted to archer in Political Discussion Thread (With Rules)
I'd like to demonstrate the mentality of the target audience of that article so you can see exactly why it was written and why The Hill chose it to be good enough to publish.
This is a real exchange in the comments of the article.
Me: Doing the "holistic view" thing is highly needed. If you can't trust your IT guy to have access to your system, you aren't doing a good job of hiring IT guys. And they need to look at the system whenever and wherever they think there might be a need to.
On the other hand, blackballing someone from ever working again in the entire industry because they happened to work at a place which had a security breach is beyond stupid. The person you're interviewing likely wasn't in charge of implementing policy at his business. That's like refusing to ever hire a Volkswagen mechanic because the Volkswagen company for years covered up how much their diesel engines polluted. (The mechanic didn't set company policy, didn't participate in the coverup, and almost certainly had no idea that anything inappropriate was happening because there was no way for him to access that kind of information.)
Joe: Why on earth would you hire someone who already destroyed security somewhere else? This is a good suggestion.
Me: That "someone" will generally be working with a dozen or dozens of other people.
If they pin a security breech to George, don't hire George.
But if George is doing everything humanly possible at his task but someone else fails at their task, don't punish George for it.
Take this pipeline thing. Okay there's a breech. You fire all the people and they lose all hope of ever working at anything to do with computers ever again.
You hire a whole new staff.
There's another breech so you fire all of those people.
Who the hell is going to be willing to work for you regardless of what you offer to pay them? People who are so bad that they absolutely can't get a job anywhere else? People who are so desperate for money that they'll do anything (yeah, that's a good person to put in charge of your sensitive data). And geezers who are so close to retirement that if they lose all hope of ever working in the industry again, that it makes no difference (and good luck if they're at the top of their game rather than hopelessly out of date).
The pipeline HAS TO WORK. But you're guaranteeing that it's going to fail because they can't hire good people to work for them because working for the pipeline is a sure career killer.
Now let's look at the long-term effects.
Why would you go to college and study to get into that field when the first mistake by any of your co-workers will make you permanently unemployable? The answer is: you wouldn't.
People who were talented would avoid getting into that field because they could do literally anything else and have a better chance at a career. So the pool of people who would be willing to do that kind of work would keep shrinking from few new people wanting to get into it and from anyone with any sense trying to get out of it and do anything else before they get blackballed.
That's EXACTLY what you DON'T want to happen.
You need the best and brightest to be eager to get into the field rather than setting up the field to be so hostile that they want to avoid it at all costs.
Joe: Who cares about their schooling? If this profession is causing the problems why would you want to hire them anyway? Even if they have not caused a breach, they are a den of idiots. Why not go with engineers who know how to lock down systems?
TrickstaPriest reacted to Old Man in Political Discussion Thread (With Rules)
So... yes, but at the same time, it is not good security to give any one person full access to all systems. IT security does need to be able to see everything that's happening, but should not have access to make changes. Conversely superusers should rarely have access to all things. Role based access control has been a best practice for decades, and the industry is now moving toward zero trust.
Again making an example of my last organization, my predecessor there was removed when it was found that she'd lied on her resume (among other things). Then she went home, logged in remotely as domain admin, and started deleting files, accounts, and logs. It was a really exciting first couple of weeks there, I learned a lot about their backups.
TrickstaPriest reacted to Old Man in Political Discussion Thread (With Rules)
As a career IT architect and current cybersecurity analyst, that is definitely a pretty bad take. It's hard to know where to begin, but suffice to say that cybersecurity "best practices" 1. rarely go far enough and 2. are usually sabotaged by senior bureaucrats through underfunding and lack of support.
As an example of 2., consider that my last supervisor directly asked that I falsely attest to our organization's PCI compliance status. Hence, the new job.
TrickstaPriest reacted to unclevlad in Coronavirus
Unfortunately it also strongly supports that excess deaths are probably far more indicative of the true impact of this pandemic.
A ways back when I got my first shot, I was talking with one of the hospital staff where it was happening. I targeted the early fall for a return to at least Mostly Normal, as this would be the start of the school year. I think...hope?...that's still a decent projection. Mind: that's for the US. For India and Brazil, I very much fear it's going to be much, much later than that.
TrickstaPriest reacted to Iuz the Evil in Political Discussion Thread (With Rules)
So, Liz Cheney is out for her refusal to bend the knee to Trump. And her statements of fact about the election and January 6 insurrection.
I do not like her family or politics, but that’s not a good sign for future election cycles if you enjoy things like Democratic process and smooth transitions of power...
TrickstaPriest reacted to BarretWallace in Coronavirus
I freely admit that I am struggling big time with Covid restrictions by now. Remember back when it was "14 days to flatten the curve?" I sure don't. I want to go back to my dojo so badly it hurts, once I am fully vaccinated (April 29!). It's the only place where I have consistently seen real fitness results, as it's never the same workout twice and never easy. They've been operating according to Minnesota guidelines on gyms, with masks required, and a moratorium on certain drills (grappling, open hand, and some weapon drills) that require close contact with another person. The owners have always been meticulous about cleaning the place, and have upped their game in the last year in that regard. To date there is no known case of Covid that can be traced to the dojo.
Yet...is returning to the dojo wise for me to do? My better half and I have kept extremely tight bubbles, and we are still healthy. When I achieve full vaccination, is the dojo a reasonable risk, or am I being reckless? I don't necessarily expect an "answer" here, as I'm not sure there is a good one. I'm mostly looking to get this off my chest. I also know that I'm far from the only person who wants some semblance of "normal" back, but is hesitant to take that next step.
TrickstaPriest reacted to Terminax in Coronavirus
I dunno if I've mentioned this, but I was among the first in Ontario, Canada to get Covid-19 back in mid-December 2019. Couldn't prove it at the time, because tests didn't exist yet at that point and I've since had two more bouts (both with positive test results). I worked as a cleaner regularly up to March 2020, and very infrequently on a temp basis since. Always wore protection and kept my distance, but my cleaning jobs have always been at the commercial/industrial variety. The first time, I was very ill and bedridden for ten days and have never quite recovered physically from it. The two later times weren't half as bad but still not fun. Pretty similar if you got the worst pneumonia ever combined with flu. It's a misery and I wouldn't wish it on my worst enemy.
I'm in my mid-40s, so I'm not going to see a vaccine for at least a month, probably well into June at the rate my area of the Province is going. Anti-Mask/or anti-vaxx people are idiots at best, and complicit killers at worst to me. The governments could do a hell of allot better but it could have done allot worse too. The CERB saved me economically when it came out, but the inability to continue onto the follow up program has forced me to work dangerous gig stuff and my Province is doing it's best to even make that impossible. So it's all a very mixed bag here but it could be allot worse.
TrickstaPriest reacted to Pariah in Coronavirus
Our statewide mask mandate ended today because of reasons, but individual businesses and the like still have the right to require people to wear masks when they come in.
Specifically exempt from the end of the mandate are public schools. The State Board has decided that teachers and students must continue to wear masks in the schools until the end of the school year.
So naturally we have a bunch of parents planning to weaponize their children and send them to school without masks on Monday in protest. Which is stupid and pointless, because neither teachers nor administrators have any power or authority to change the directive from the state board. But we're the easiest target, so that's where the protesters are going.
I mentioned the issue to one of my classes last week. To my great relief, the large majority of the students seemed appalled by the idea that people would try to come to school without masks as a form of protest.
TrickstaPriest reacted to tkdguy in Coronavirus
I'm planning to give it until the end of the month. I know the end of the school year would be better for my students, but I don't think I can last that long under the incoming director. I'm not retiring, just trying for something new. This job has held me back for too long.
I haven't sent my letter yet. Waiting for a call from the outgoing admin to see if I can get a transfer. But I'm thinking I'm just going to quit after all.
It's scary to be without a job at this time, but considering what I went through last time I worked under the incoming boss, I decided the mental anguish isn't worth it.
Edit: Just sent the letter.
TrickstaPriest reacted to Lee in Coronavirus
I think Rocket described my body perfectly in the same movie. "[I] look like melted ice cream."
Well the side effects are starting to kick in. A couple of hours ago I started feeling feverish and right after I got pretty severe chills, although they're getting better. The fatigue is kicking in, too. My arm's sore (no worse than the first one, though). I'd give anything to not be here at work. I'm going to ask my boss if I can go home (he's really cool about things like that). But I also had a doctor's appointment (my regular checkup) today, too. I'm waiting to hear back from them to see if I should reschedule or not.
It sucks, but at least it's doing what it's supposed to be doing.
Just thought that some of you that haven't had either shot or just the first one might like some more info on what it's like the second time around.