HackerTrans
TopNewTrendsCommentsPastAskShowJobs

lvh

no profile record

Submissions

If it could have, why didn't it?

alexgaynor.net
2 points·by lvh·3 bulan yang lalu·0 comments

The SOC2 Starting Seven

latacora.singles
109 points·by lvh·6 tahun yang lalu·65 comments

comments

lvh
·8 bulan yang lalu·discuss
"The operating system makes it easy to mess with" doesn't seem like a particularly useful property for application file formats.
lvh
·4 tahun yang lalu·discuss
Nope. It was pretty much just Thomas and Erin working on it, and I don't think it's operational. Sorry :(
lvh
·4 tahun yang lalu·discuss
Tailscale will let you use any SAML or OIDC provider you like in the Enterprise plan (presumably because of the cost of supporting the long tail of nonsense IdPs will produce).

(Disclosure: I'm a (small) investor via Latacora's sibling fund, Lagomorphic.)
lvh
·4 tahun yang lalu·discuss
Depends on the kind of breach. Tailscale is extremely carefully designed to minimize that risk. Notably: Tailscale doesn't get your keys. (Granted: a compromised agent would still be a problem. It's a thing I have some plans for :-))

(Disclosure: I'm a (small) investor via Latacora's sibling fund, Lagomorphic.)
lvh
·4 tahun yang lalu·discuss
No? The fact that some machines (notably: all your _own devices_) need to be able to reliably talk to each other does nothing to impact anonymity on the Internet. Sure, you can route everything out of your own IP using Tailscale also, and that might be desirable if you're on a crappy connection, but it's still completely orthogonal to privacy-preserving techniques like Tor (and may in fact make those easier to deploy).

Tailscale doesn't make privacy worse any more than the fact that to a first approximation, no residential Internet provider in the US has rotated an IP in recent memory.

(Disclosure: I'm a (small) investor via Latacora's sibling fund, Lagomorphic.)
lvh
·4 tahun yang lalu·discuss
I think the best way to get a feel for what that means is Remembering the LAN[0] and then just trying it out (really, it's easy) and deciding for yourself if they're living up to it. Or grep Twitter for "tailscale" -- all these nerds aren't astroturfing :)

(Disclosure: I'm a (small) investor via Latacora's sibling fund, Lagomorphic.)

[0]: https://tailscale.com/blog/remembering-the-lan/
lvh
·6 tahun yang lalu·discuss
How do you currently host your Docker container at edge nodes?

(It's a facetious question: unless you're a $100B company you're not doing anything of the sort.)
lvh
·6 tahun yang lalu·discuss
This basically bumps the amount of behavior you can stuff into the edge by several orders of magnitude. Previously, Lambda@Edge will like, maybe validate a JWT. Now, you can put like half your app in there. It sounds like a tiny incremental change but it's big enough that it simply redefines what's even possible in a POP.
lvh
·6 tahun yang lalu·discuss
I'm so glad you've launched. I loved the entire thing every time you've explained it. Absolutely chuffed to see Wireguard and Firecracker getting deployed "in anger". Tensorflow@Edge sounds like the good kind of bananas to use it with.

Your quickstart being called speedrun is too good for you alone to have it, so I'm stealing it the next chance I get.

Either way congratulations Kurt & team! (and no I still have not bought that Safari 911 or any 911 for that matter and yes professional help is being sought).
lvh
·6 tahun yang lalu·discuss
Saying it was just for phones is your quote, so I think your reaction is a little misplaced. If you don’t want people to tell you what Jamf Pro does then maybe don’t make being wrong about your what Jamf Pro does part of your argument.

(Plus, if you think this is about buying any particular product, you have woefully missed the point.)
lvh
·6 tahun yang lalu·discuss
Wait, I can't find Love Actually and Say Anything in the post. Are you talking about a draft?
lvh
·6 tahun yang lalu·discuss
I'm guessing we have a different opinion on what "competing solutions" or "accurate user <-> device attribution" or "setting up an LDAP server" mean. I'm sure there's a version of this story where somebody picks Intune (it manages everything!) and then decides to run their own AD install (inexplicably) where that description is accurate, but we've seen a pile of people deploy Jamf Pro/Connect to GSuite/Okta and what you're describing does not match my experience.

With GSuite in particular, nobody set up any LDAP. It's an OIDC app, you do not run Connect Verify or Connect Sync. There's LDAP going on when you're authing against Azure, but if you're in that situation AD seems like what you want?

I read your description as suggesting that if you pick anything other than your product, there's necessarily an AD DS or slapd in your future, and I hope we can agree that's definitely not the case. In the most common case for our audience (startups) it's not even any LDAP at all.

Is it fewer clicks in Fleetsmith? Maybe? Probably? And you have to know whatever the hell a "PreStage Enrollment" is which is not as easy as it could be. But I think you're making it sound a lot more hairy than it is, particularly for a deployment with "hundreds or thousands of devices". The hard problem facing that IT team is not finding someone who is unafraid of the words "Preference Domain", come on.

(To reiterate my position: I am not saying Fleetsmith is bad, I'm saying that I think your post makes it sound like anything besides Fleetsmith is a world of pain, and I accept that you probably extra-believe that as someone who founded Fleetsmith (not in the sense of "you're lying" but in the sense of you don't bet the farm on trying to fix things you don't think are broken), but, I think a) whatever Fleetsmith is fine and yes it's probably better at doing the limited set of things you should be doing but b) compared to our experience this is a pretty wide exaggeration of how bad anything else is like.)
lvh
·6 tahun yang lalu·discuss
> And what's with the JAMF pro recommendation? MDM is more than iPhones

JAMF Pro is not just for iPhones.
lvh
·6 tahun yang lalu·discuss
Maybe! Generally, I get the impression auditors haven't changed their tune much, and we've seen success with people ELI5ing controls and why they are good.

For malware in particular, on the server side, we've seen:

a) auditors not asking after seeing convincing endpoint answers

b) people be successful with scanning container images and then just arguing that containers aren't long-lived enough to matter (and having other infrastructure level controls to argue that if something does leave a container you'll see it somewhere).

That only works if you actually have short-lived containers though, of course :D
lvh
·6 tahun yang lalu·discuss
I feel like that's recognized in the article: we even point out that anti-malware is one of the few (technical) things the AICPA criteria do care about. The point is not that you need SSO, the point is that it is _much simpler_ to demonstrate you've got anything resembling an access control story if you do SSO. You are not doing it because it's the only way, you're doing it because it's the best way.
lvh
·6 tahun yang lalu·discuss
Maybe! I get the impression there are definitely plenty of people have bought SOC2s the way they also buy pentests: "I'm spending $X0,000 today so I can close $X00,000 in sales tomorrow". Which of course, we as security people would say is spending a lot of money and getting nothing, and the business person says is a necessary expense and something to keep in mind when re-evaluating margins :) (But yes lots of companies also mistake SOC2 for a security audit of course!)
lvh
·6 tahun yang lalu·discuss
Thanks! Just fixed that.
lvh
·6 tahun yang lalu·discuss
I have no problem with Fleetsmith and sure Jamf ain't perfect but... just to restate your point briefly: you're claiming "show inventory, turn on FDE, don't fuck up XProtect" are "very time-intensive efforts" with Jamf Pro?
lvh
·7 tahun yang lalu·discuss
True, but bypass capacitors don't produce ad revenue.