redfox

joined 10 months ago
[–] redfox@infosec.pub 9 points 2 months ago (2 children)

Won't someone please think of the investors...!

[–] redfox@infosec.pub 43 points 2 months ago (12 children)

I'm just glad they're still distracted with torrents...

[–] redfox@infosec.pub 6 points 2 months ago (1 children)

rawdawg some torrents

LOL! Did you spray 1's and 0's in their face when you were done?

[–] redfox@infosec.pub 1 points 2 months ago (1 children)

Good comments.

Do you think there's still a lot of traditional or legacy thinking in IT departments?

Containers aren't new, neither is the idea of infrastructure as code, but the ability to redeploy a major application stack or even significant chunks of the enterprise with automation and the restoration of data is newer.

[–] redfox@infosec.pub 3 points 2 months ago

Lol, even in 2024 with free VPN/overlay solutions...they just won't stop public Internet exposure of control plane things...

[–] redfox@infosec.pub 5 points 2 months ago (1 children)

Blank check

Funny how that seems to often be the case. They need to see the consequences, not just be warned. An 'I told you so' moment...

[–] redfox@infosec.pub 2 points 2 months ago

Agreed.

Dont we all use centralized management because there is cost and risk involved when we don't.

More management complexity, missed systems, etc.

So we're balancing risk vs operational costs.

Makes sense to swap out virtual for container solutions or automation solutions for discussion.

[–] redfox@infosec.pub 2 points 2 months ago

Yeah, that's pretty risky for this point in time.

I guess the MBA people look at total cost of revenue/reputation loss for things like ransomware recovery, restoration of backups vs the cost of making their IT systems resilient?

Personally, I don't think so (in many cases) or they'd spend more money on planning/resilience.

[–] redfox@infosec.pub 7 points 2 months ago (3 children)

Seems like your org has taken resilience and response planning seriously. I like it.

22
submitted 2 months ago* (last edited 2 months ago) by redfox@infosec.pub to c/technology@lemmy.world
 

After reading this article, I had a few dissenting thoughts, maybe someone will provide their perspective?

The article suggests not running critical workloads virtually based on a failure scenario of the hosting environment (such as ransomware on hypervisor).

That does allow using the 'all your eggs in one basket' phrase, so I agree that running at least one instance of a service physically could be justified, but threat actors will be trying to time execution of attacks against both if possible. Adding complexity works both ways here.

I don't really agree with the comments about not patching however. The premise that the physical workload or instance would be patched or updated more than the virtual one seems unrelated. A hesitance to patch systems is more about up time vs downtime vs breaking vs risk in my opinion.

Is your organization running critical workloads virtual like anything else, combination physical and virtual, or combination of all previous plus cloud solutions (off prem)?

[–] redfox@infosec.pub 22 points 3 months ago* (last edited 3 months ago)

contract "options" are indeed normal. You could also lump in government contracts into the category your thinking about. I've never heard of a scenario where the vendor broke contract by not honoring the options. I also have never dealt with a vendor getting bought out and then not honoring existing contracts. Super fun to watch the corporate drama. I personally don't care for the private equity style business that seems to be an even bigger problem than the investor first/profit centric model that I thought was the worst thing.

[–] redfox@infosec.pub 1 points 7 months ago

My mid life birthday gift was an electric zero turn mower. Already had all electric yard tools. Will buy Tesla or best option in couple years. Never going to a gas station again!

So indeed, fuck gas

[–] redfox@infosec.pub 1 points 7 months ago

Office culture nuances... I enjoy them.

 

This article outlines an opinion that organizations either tried skills based hiring and reverted to degree required hiring because it was warranted, or they didn't adapt their process in spite of executive vision.

Since this article is non industry specific, what are your observations or opinions of the technology sector? What about the general business sector?

Should first world employees of businesses be required to obtain degrees if they reasonably expect a business related job?

Do college experiences and academic rigor reveal higher achieving employees?

Is undergraduate education a minimum standard for a more enlightened society? Or a way to hold separation between classes of people and status?

Is a masters degree the new way to differentiate yourself where the undergrad degree was before?

Edit: multiple typos, I guess that's proof that I should have done more college 😄

 

On July 25, 2023, the states of Missouri, Arkansas, and Iowa, along with intervenors American Water Works Association and National Rural Water Association, petitioned the Eighth Circuit to review the EPA’s new rule. This rule requires states to review and report cybersecurity threats to their public water systems (PWS).

The states’ brief argues that the EPA’s Cybersecurity Rule unlawfully imposes new legal requirements on states and PWSs. It also contends that the rule exceeds the EPA’s statutory authority by ignoring congressional actions that limit cybersecurity requirements to large PWSs and by changing the criteria for sanitary surveys through a memorandum

And then there a bunch of PLCs at water utilities compromised:

https://www.politico.com/news/2023/11/28/federal-government-investigating-multiple-hacks-of-us-water-utilities-00128977

https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems

https://apnews.com/article/water-utilities-hackers-cybersecurity-1c475f5d2ef3b5d52410c93bdeab3aad

https://www.bleepingcomputer.com/news/security/hackers-breach-us-water-facility-via-exposed-unitronics-plcs/

So many more...

Now, I can understand arguments about jurisdictions, but would the exact same requirements coming from CISA instead of the EMP have been OK, or where these places just whining about any kind of oversight? At the end of the day, they look a little foolish.

 

This episode of Security Now covered Google's plan to deprecate third party cookies and the reaction from advertising organizations and websites.

The articles and the opinions of the show hosts are that it may have negative or unintended consequences as rather than relying on Google's proposed ad selection scheme being run on the client side (hiding information from the advertiser), instead they are demanding first party information from the sites regarding their user's identification.

The article predicts that rather than privacy increasing, a majority of websites may demand user registration so they can collect personal details and force user consent to provide that data to advertisers.

What's your opinion of website advertising, privacy, and data collection?

  • Would you refuse to visit websites that force registration even if the account is free?
  • What's all the fuss about, you don't care?
  • Is advertising a necessary evil in fair trade for content?
  • Would this limit your visiting of websites to only a narrow few you are willing to trade personal details for?
  • Is this a bad thing for the internet experience as whole, or just another progression of technology?
  • Is this no different from using any other technology platform that's free (If it's free, you're the product)?
  • Should website owners just accept a lower revenue model and adapt their business, rather than seeking higher / unfair revenues from privacy invasive practices of the past?
view more: next ›