SandwichTeeth's comments

This is massively underselling the kind of change management processes and potential challenges of scale a deployment like this would require at large enterprises. It's never as simple as "deploy app to nodes". Approvals, maintenance windows, deployment in waves (ironic I know, given the nature of the outage in the first place). Most places I've worked would require deployment to many sets lower environment machines of different functions first, then allow time to "bake" and ensure no issues crop up after things have settled. You would NEVER just yeet out a new agent to critical production systems without extensive change management, testing, and validation. I've deployed different AV products multiple times throughout my career (including Crowdstrike). It was never simple, and almost always took months to complete.

Doing incident response was the most stressful job I've ever had. I left it to do security engineering and don't miss it in the slightest. So many nights and weekends blown on calls with lawyers, executives, etc.

Interesting, is that just because of the privacy implications of using chrome?

My experience has been that most desktop IT teams don't have the resources to fine-tune browser configs on endpoints around things like corporate web filtering proxies so they just jam the cert in the OS store and call it a day. You can use Chrome, IE, or Firefox if you know how to get and import the cert (which most users do not). Sometimes users would submit tickets saying they wanted to use Firefox but couldn't get to any web pages, to which the IT team would reply "We don't support Firefox, use Chrome or IE" and that was that.

Firefox has some catches that make it not as easy to use in a work environment though and I honestly think will hurt their market share over time, mainly the fact that it doesn't use the OS cert store. This causes issues with most corporate web proxies that do SSL inspection since IT departments will push the proxy CA cert into OS cert stores through whatever endpoint management solution they have.

People can disagree all they want about SSL interception in a corporate environment (for good reason), but it's here to stay. When a corporate user downloads Firefox, tries to simply go to Google and gets a cert error page, they're just going to go back to Chrome because the process of exporting your company's CA cert and then importing it into Firefox so you can use the browser is just simply not feasible for most users.

Many US employees are literally living paycheck to paycheck. Not being given paid leave would mean not taking leave at all as they cannot afford to miss a paycheck.

I found an submitted a bug once through bugcrowd to a very well known company where a session cookie could be used for complete account takeover even after the user had signed out etc. I was blown away when I got the "duplicate" response for a submission that was almost a year old. I wonder if they've ever fixed it...

Honestly I think the noise and chaos of open offices are positives to executives because it creates the appearance of work.

I follow some of the executives of the company I work at (we have an open office) and they are constantly posting pictures of "teamwork and collaboration" that just have a bunch of people standing around each others desks talking. They see all the movement and noise and they love that it seems like everybody is hard at work, collaborating and discussing problems etc. But if you look a little closer, the people doing actual work are hunched over their desks with huge headphones on, and everybody standing around are either not talking about anything related to work or they are rehashing discussions that have already happened over IM/email/meetings. I expressed to my manager that I had a hard time working in this environment and would like the chance to work from home a more often but was dismissed because he "likes the open office" and our management has the view that if you are working from home you probably aren't working.

This is actually an interesting case from a PCI perspective. PCI doesn't protect last 4 of a credit card number or names individually, as you wouldn't be able to link name to card number if stored separately. Name is only 'cardholder data' when stored with a full cc number. In this case both name and last 4 are stored and revealed together, but I still don't think that constitutes PCI protected information according to their definition of cardholder data. My initial interpretation is that they wouldn't be in breach of PCI from just the information we have publically available about this issue.

Hah I should clarify, when I said HotS, I meant Heart of the Swarm expansion for SC2!

"ADHD millenials" generalize much? I am a millenial who loves the 1v1, competitive aspect of SC2, but I also love games like Civ, Crusader Kings, Heart of Iron etc. There are other RTS games out there for you, but I don't understand why SC2 being competitive is a negative thing. Yeah, competitive sc2 games are fast, but a lot of games with a dedicated, competitive playerbases are going to play fast because mechanical, execution advantages are a valid way to win. But watch a pro sc2 game and you'll notice that there is a ton of thought and strategy that go into every game. Sometimes it's a mindgame against the opponent because they have a known playstyle, sometimes it's a clever reaction to the way an opponent is playing in that particular game. You can play aggressively and try to pressure your opponent to make mistakes, or you can play defensively and try to strike when you've spied an opening. Claiming it lacks strategy because of the speed at which games play out is selling it way short.

I started in bronze, managed to grind all the way up to diamond with all 3 races. I enjoyed it because I also followed the esport scene around it. Honestly, it was the esport scene that drew me in initially back in 2011ish. It was fun to watch pro games, become inspired to play better, and then immediately jump on the ladder and try out new things I've learned. I took a big break partway through HotS due to the very stale metagame that made it boring to play and watch, but I recently picked it up again and managed to get diamond again with all 3 races. I think it's in the best shape it has ever been.

Yeah I stopped playing during HotS despite being very passionate about the game because it just became so boring to watch at the highest levels which broke my heart. But I recently picked it up again and just finished watching the WCS finals this past weekend. I think SC2 is the best it has ever been in terms of gameplay for both players and spectators. Most of the matches I watched over the last few weeks have had intense, back-and-forth games that really showed off the multitasking these pros can exhibit. I didn't see very many games which were decided by a mid-game deathball fight which has been fantastic to watch. This is how it should have been all along. I highly recommend that anyone who put it down some time ago check it out again, I think you'll be pleasantly surprised!

I think that coding tests and challenges apply a sort of artificial pressure and requirement to have things memorized that aren't there in the real world. I think it would be a mistake to discount a candidate who has good code on their github when they had time to sit, think through problems without being under a magnifying glass, but trips up during a technical interview challenge/puzzle/whiteboard or whatever. Maybe in those candidates you could actually walk through their projects with them and try to determine if they have a deep understanding of what they wrote. To me, that seems a better indicator of how they would perform on a team with real problems, rather than having to puke up a pseudocode merge-sort from memory.

Honestly, as someone who is leaving "blue-team" network security work for a "DevOps" production team (I know, I know), it's really a mixed bag. I've done blue-team for 2 companies now and honestly the job is more project management than anything else. I found that I was very rarely actually getting hands-on with technology. When implementing a new piece of security tech, we were simply directing other teams to perform most of the the actual technical work (this was the case at both of my "security engineering" jobs). I didn't get any of the satisfaction of building anything, solving problems etc.

The other big thing to note is that a lot of companies have security teams solely to meet audit requirements. If you find yourself on a team like that, you'll be spending a lot of time just gathering evidence for audits, remediating findings and writing policy. I really loved security intellectually, but in practice, the blue-team side of things wasn't my cup of tea.