HackerTrans
TopNewTrendsCommentsPastAskShowJobs

secuthro22

no profile record

comments

secuthro22
·5 лет назад·discuss
>Actually, you could, just by ignoring the things you don't see evidence of and focusing on the points that do, and assessing them based on merit.

No, you really can't. Just by including the other points in the discussion, but being unwilling to extrapolate on them, shows bad faith (perhaps unintentionally) on the part of Steve and compromises the entire discussion. The only reason you include some vague "Amazon did shady shit" in a tweet is to elicit an emotional response on the part of the reader and immediately biases the argument against Amazon. The argument is not based on merit; it never can be now, because it's been tainted. This is known as "poisoning the well" [0].

Even in this thread, commenters are saying how they implicitly trust Steve not because of the merits of his argument, but because of his personal brand. He's (again, perhaps unintentionally) taking advantage of that fact by mud-slinging at Amazon, priming readers to already be biased against Amazon, and then once called out on it the response is "oh just ignore the fact that I did that and look at this other argument which I promise is more substantive". That's not arguing in good faith.

I see all that Steve has done for Rust and I see him post here (and on reddit) a lot, so I have respect for him. But this "discussion" was brought up completely the wrong way by him, and any outcome is going to be tainted. It'd be best to just let this current discussion die, and bring it up again in the future in a more appropriate manner.

0: https://en.wikipedia.org/wiki/Poisoning_the_well
secuthro22
·5 лет назад·discuss
He said in his first tweet that he wants to have a "serious conversation", then goes on to list three grievances: that Amazon has a lot of involvement in Rust leadership, that Amazon "marginalized the core team" (but no details) and that Amazon "has done some other dirty shit" (but no details).

That's two out of three grievances that have no substance whatsoever. You cannot have a serious conversation about these things if there is not more detail. I'm not distracting from anything, I'm asking Steve to either step up and discuss these things as he stated he wants to do, or he needs to stop distracting from serious issues with these snarky one-liners. If you include something like that in a tweet, you should expect to follow up on it.

It's ridiculous and disingenuous to tweet something like that and then say "well I don't actually want to talk about that and it's your fault for not reading my mind to know that".

>That's probably why takes like that get downvoted.

My comment currently has 50 upvotes. I don't think I'm the only person saying this.
secuthro22
·5 лет назад·discuss
I wouldn't know. There might be, which is why I've asked you multiple times to explain the issue to me and yet you have neglected to do so.
secuthro22
·5 лет назад·discuss
You've replied yet again without actually stating what your concerns are. Lol "gaslighting". Ok.
secuthro22
·5 лет назад·discuss
>You can either see his history and trust that he wants to get as much done with as little said as possible or say you trust Amazon

Or I can trust neither, and expect that both sides act like adults and actually state their concerns and accusations rather than vague "just trust me, you should be upset" statements.

Whipping everyone into a furor with vague concerns without actually giving enough information to address those concerns is the worst form of "discussion", if you can even call it that.
secuthro22
·5 лет назад·discuss
What "concerns"? Again you have stated and quoted nothing other than vague "it's the structure" or allusions to "too much power". What about the structure? What power are you alluding to?

What are your concerns, exactly? Do you even have any, or are you just being dramatic about "big company bad"?
secuthro22
·5 лет назад·discuss
>You know what this is about.

No, nobody does. You keep making vague statements like this without actually saying anything.

>I assume you've read the links in my comment and the tweets

Yea, they just link to more of your own comments stating vague things like "I knew this would happen" (again, without ever saying what "this" is).

If you have concerns, state them. Otherwise this contributes nothing to the discussion.
secuthro22
·5 лет назад·discuss
I think partly so, yes. I also think in general the security industry is very bad at increasing the level of collective experience, so it sort of just stagnates.

Other fields like web development, consulting, engineering, lawyers, medical field etc all have very established career development pipelines, where you can join as a junior employee and learn on the job from those around you to become a better professional.

Security on the other hand lacks this. In the vast majority of organizations I've been in, security roles are something that you are expected to enter with an already established level of experience, and then you are dropped on a project by yourself with little mentorship or training. This makes it almost impossible to bring new people into the field.

At my company, we have a "security champions" program that is intended to allow software engineers to dedicate some of their time to security and help their team think through security challenges. But we really struggle with this program, because my company pretty much just hopes that the engineers signing up to be champions are already experienced in security. If they are not, we do not have processes in place to train them, even if they do want the training.

And what's worse, is that I even see resistance to making it easier for junior people to learn security. If you spend much time on r/cybersecurity, a common thing you will see is people insisting that security should not be an entry level job, and that everyone should be required to spend 5-10 years as a sysadmin before you're even allowed to apply for a security role. I think that's ridiculous, and not only for the reason that being a sysadmin has a lot less overlap with the world of security than people like to think it does.
secuthro22
·5 лет назад·discuss
We recruit primarily for mid-to-senior level roles (5-15 yrs experience), and it's the former. I get a lot of candidates that can recite what XSS is at a high level, but for example struggle to explain the things to watch out for that would indicate a possible XSS vulnerability.

One of the other issues I see is that we should be able to take the above-described candidate, which is maybe not exactly what we need but shows promise, and train/mentor them into the type of security professional that we need. But my company (and most others I've seen) are also just really bad at security training and career development. It's a real problem, IMO, that security is treated as an "experienced people only" industry, and is not very welcoming to people that aren't already experts but are willing and able to learn. We are trying to change this in my organization, but it's slow and challenging.
secuthro22
·5 лет назад·discuss
Eh, it's both. Other departments don't necessarily focus on security (and leetcode is certainly an idiotic way of hiring, IMO). But even in my department (where we explicitly don't use leetcode and do prioritize based on security expertise and offer a huge premium for it), we are significantly under our target headcount because finding devs (or any other role) that understand security is very, very difficult.
secuthro22
·5 лет назад·discuss
It would be the last for T-Mobile because it would end T-Mobile. But it wouldn't be the last breach ever.

I could give $5 billion to my FAANG right now and I bet we'd still be breached (hell, I'm pretty sure we already have that budget in my FAANG's security department). The US DoD already has a cyber security budget of $10 billion, and they still get breached.

You underestimate the amount that these companies care about security. Just because they get fined "only" a couple hundred million dollars doesn't mean they aren't scared shitless by being breached. I've sat in boardrooms with CEOs telling us they were willing to pay whatever it takes to increase their security (and they put their money where their mouth is, too). They still get breached.

Budget isn't everything. Does it help? Sure. Like any other security professional, I can recount plenty of tales of teams deprioritizing security in favor of something else. Would they have done differently if they were incentivized better by bigger potential fines? Maybe. Would they have actually been able to implement ironclad security even if they did prioritize it? In the cases I've seen, it's doubtful.

edit: and consider this. If you truly do think that money is everything, you should realize that you will never be able to throw more money at your security than a nation state attacker like China will be able to throw at breaching your security. In the competition of who can spend the most money, you've already lost.
secuthro22
·5 лет назад·discuss
One of the biggest problems in the security industry is a misconception that security and computer science are the same. They aren't at all.

If you're doing low level design of crypto algorithms, you need to know math. If you're doing appsec reviews or pentests, then a background in software development might help (but is not required).

But there is an entire world of security roles out there that are essential to implementing security that have nothing to do with math or compsci. The security industry right now has a huge problem with gatekeeping, where they think you can't even begin to think about security unless you're already a top-tier principal engineer, and it's led to a huge drought of talent in security roles across the board.
secuthro22
·5 лет назад·discuss
I don't doubt that T-Mobile could have done more, but it's also frustrating to see this trope that spending more money on security is some type of silver bullet. It's not.

I've been in security for over a decade. I currently work at a FAANG with nearly unlimited security budget. Previously I worked at another major tech company with nearly unlimited security budget. Before that I was a consultant and consulted at companies with huge security budgets. All of them, including my FAANG, struggle to have anything more than security that can only be described as "patchwork".

The truth is that nobody actually knows how to do security. Software devs are awful at it (the amount of FAANG engineers I know that don't even understand what encryption is, or think that hashing passwords is unimportant, would blow your mind), management is awful at prioritizing it or even knowing what to do in the first place, and every security professional in the industry is effectively just winging it based on what someone else in the industry promoted as "best practice" (and is probably outdated by now).

Sure, prolonged investment in security might help make things better, but that's not an overnight solution, and it might not be a solution at all given that the attackers are investing heavily in their methods, too. We have to do more than just acting like increasing the security department's budget is going to fix all of our problems. I guarantee it won't.