[HN Gopher] "In roughly two hours, 1647 devices are about to be ...
___________________________________________________________________
"In roughly two hours, 1647 devices are about to be wiped"
Author : terom
Score : 506 points
Date : 2023-01-31 16:36 UTC (6 hours ago)
(HTM) web link (infosec.exchange)
(TXT) w3m dump (infosec.exchange)
| kerblang wrote:
| I would go with an incremental progression of something like 100
| random devices a week for 17 weeks, so that people _see_ the
| tidal wave eating others and suddenly "get it". Less
| overwhelming for the service/support desk folk too.
| Oxidation wrote:
| Or start with the "most critical" devices: those belonging to
| the highest-ranking users. They're the high-value hacking
| targets so it's only reasonable. Might unstick a few wallets
| better than hitting mostly rank-and-file for something they
| have no control over.
| basch wrote:
| If you are this close to a deadline, it doesnt really matter
| anymore. There is no avoiding the iceberg. You can fix your
| organization for next time, which is what the org believe it
| has initiated.
| Oxidation wrote:
| Well, yes you don't do this two hours out, you'd need to do
| it some time in the 13 months they knew about it for it to
| work.
|
| But at the end of the day, they did the job they were paid
| to do and were clear about the looming impact. It's not
| their job to also wipe their clients' metaphorical bottoms
| when they were ignored.
| gumby wrote:
| Or incrementally degrade service (lock out web browser, then
| email...)
| jdironman wrote:
| The problem with that is, it's most likely those devices
| which are already compliant / up to date.
| masklinn wrote:
| TFA explains that this was _self imposed a hard cutoff_ :
|
| > For anyone wondering why we don't just lift the compliance
| restrictions, we don't specify it. Their Compliance department
| does
|
| after a year-long grace period:
|
| > The machines came to end of life about 12 months ago, and the
| company being a multi-billion dollar operation managed to eke
| out another year of manufacturer support. Mostly symbolic as
| they're not exactly going to release custom firmware for a
| handful of devices. They then put a set-in-stone tombstone date
| on support. 12pm today.
|
| This was imposed internally by the company's compliance and
| legal departments, TFAA is the executioner but the execution
| would be contractually mandated:
|
| > They require, and have specified, a zero-tolerance for device
| non-compliance.
|
| This means an unapproved batched and drawn-out phaseout would
| be a breach of contract.
| kerblang wrote:
| Various people seem to think I'm blaming the person doing the
| work - nope, I didn't. Blame isn't the point and won't fix
| anything. But strategically the best option is to work with
| stakeholders towards incremental force, squeezing the trash
| compactor slowly. If stakeholders insist on backing everyone
| into the worst possible corner, then so be it; next time
| they'll probably listen.
| tremon wrote:
| But you keep implying that the onus is on the poster, who
| is a third-party service provider, to resolve this, or at
| least get everyone around the table. It's not -- the issue
| is between the company's compliance department and
| operations. All the stakeholders for this issue are _inside
| the company_ , and the poster is not.
| mlyle wrote:
| > This means an unapproved batched and drawn-out phaseout
| would be a breach of contract.
|
| You could brownout or kill a few a few days before the real
| issue, though, potentially.
| amluto wrote:
| Which might breach an SLA or itself be deliberate
| malfeasance. If I were in this position, I would want to be
| absolutely squeaky clean.
|
| What one could try is to call the CEO directly. Or maybe
| try the legal backdoor: contact the general counsel, tell
| them that the contract says such-and-such, that you think
| the contract is well written and you intend to do what it
| says, but that the organization should be aware that it may
| cause a problem. If legal doesn't know how to get the CEO's
| attention, then something is very wrong.
| masklinn wrote:
| The very first post of TFA lays out that they've been
| sending emergency-level alerts for a while (aside from
| that being a year-long issue):
|
| > 4 meetings, 124 emails, and two phone calls a day for
| the last 14 days have warned them of this.
|
| There's only so much you can do.
|
| > If legal doesn't know how to get the CEO's attention,
| then something is very wrong.
|
| From the thread legal (and / or compliance) is the setter
| of the issue, and was well aware that it would cause
| issues (for a minority), but they were not in charge of
| resolution. And from downthread posts, they likely
| extensively documented their warnings:
|
| > oh I'm absolutely backing the horse with the 3 miles of
| email threads proving this
|
| And methinks legal and compliance had very much planned
| for the issue coming to a head, because they were getting
| fed up with being blow off, and having to shoulder the
| legal or regulatory risk.
| ChickenNugger wrote:
| I think this is exactly it.
|
| A year to make fixes and nothing was done?
|
| Legal is like, "We warned you every way we possibly could
| have."
|
| "two phone calls a day for 14 days" is far from
| insufficient notice, to say nothing of the rest.
| spoils19 wrote:
| I disagree. In conservative companies, it would be common
| to meet in person and give a firm handshake, before
| taking out the required documents from a briefcase. It's
| sad to see this tradition evaporate.
| stickfigure wrote:
| > This means an unapproved batched and drawn-out phaseout
| would be a breach of contract.
|
| You can always start early.
| Dylan16807 wrote:
| How about just saying it'll take 6 hours between the lockouts
| and the wipes.
| kneebonian wrote:
| Based on the thread I think it was Legal and Compliance forcing
| it. It may have been regulatory required. Also they say they
| are managing on behalf of their client, so their position as
| mercenaries is just to follow orders.
| lifefeed wrote:
| Github once did brownouts on features they were removing. For
| 12 hours, then later for 24 hours, they turn off the feature
| temporarily. The idea was to cause alarm bells to start loudly
| ringing for anyone still using it.
|
| https://github.blog/changelog/2021-04-19-sunsetting-api-auth...
|
| I don't know if that concept would work in this case,
| compliance is it's own beast, but I love that idea in general.
| ufmace wrote:
| But that would involve actual planning. When do you do that?
|
| Do it for 17 weeks before the out of support deadline? The
| users start screaming, we still have 17 weeks left before the
| deadline, how dare you disable us early! And they get enabled
| again.
|
| Do it for 17 weeks after the deadline? The compliance people
| start screaming, you have 1600 devices out of compliance, we
| need them shut down now!
| Aachen wrote:
| I think it is this sort of logic that will puzzle aliens the
| most, should we ever be on speaking terms with any.
| Thetawaves wrote:
| Bureaucracy is universal, I'm sure they will understand
| this extremely well.
| [deleted]
| 0xbadcafebee wrote:
| It's like a dog owner whose dog has been shitting on the sidewalk
| for so long that the owner eventually can't walk on the sidewalk
| without stepping in their own dog's shit.
|
| But they will absolutely blame the dog.
| mysterydip wrote:
| > "So for a whole year, they knew this was coming.
|
| But nobody wants all that additional spend, so close to year end.
| Departments bickering over who's responsibility it was, who's
| budget it came out of, and so on. So everyone dug their heels in,
| and we continued to shout "iceberg!" from the sidelines."
|
| I've seen this play out multiple times over the years. What's the
| solution?
| scottLobster wrote:
| Leadership. Unfortunately most companies with bloated middle
| management layers spread the responsibility so thin that the
| level of consensus required to take action would stump the
| reincarnation of George Washington, Agustus, Ghandi and Genghis
| Khan combined (granted Genghis would probably just murder
| anyone who opposed him, which sadly would probably improve a
| lot of companies).
|
| Even in my program of just north of 100 people broken
| infrastructure follows that same pattern. Something moderately
| breaks, the devs complain, they are sympathetically told to
| make do. Rinse and repeat until the devs realize their
| complaints never get addressed and stop complaining past a
| quick email. Then something REALLY breaks with no workaround,
| devs mention it's been heading this way for a while, and
| management, all aghast, exclaims "well why didn't you say so
| earlier if this was such a problem?". It's to the point where
| we (the devs) have started keeping locally archived email
| records just for the "told you so". Which of course makes us no
| friends because we point the blame where it belongs, so we're
| officially covered but our complaints get listened to even
| less. And the infrastructure is fixed just enough to limp along
| until the next catastrophic explosion.
|
| You need someone who gives a shit with the power to crack the
| whip. In short, you need to give someone enough power that they
| can potentially abuse it, something modern business is allergic
| to.
| madaxe_again wrote:
| Your post describes the problem more succinctly than you
| might think.
|
| You are trying to do a _good job_ which might lead to a
| promotion. You see the rules and operations of the
| organisation as something to work within.
|
| The people who ignore you are trying _to get promoted_. They
| see the rules and operations of the organisation as a
| irritating backdrop to their personal goals. The job could be
| anything. Ascent is all that matters.
|
| They will get promoted. You will retire one day, your nerves
| fried.
|
| The incentives are all wrong, and playing the social metagame
| rather than playing the game by the rules _always_ results in
| an advantage, and thus this behaviour is inherently embedded
| in any human structure.
|
| The solution isn't "better management" - it's in fundamental
| societal change, which ain't coming any time soon.
| JamesBarney wrote:
| Better management seems like a much more tractable goal
| than "fundamental societal change" or "rework human
| nature".
| madaxe_again wrote:
| It's tractable, sure, but it doesn't solve the inherent
| problem of human nature and tribal dynamics.
|
| Put an impartial AI in charge and it will make the right
| decisions -- and people will riot over the injustice.
| Ultimately, you'd have to go machine the whole way and
| the humans can all go bake bread and have wars over that
| or something.
| avgcorrection wrote:
| But, but... leadership?
| throwawaysleep wrote:
| I think they should focus on fixing the "gives a shit" part
| of it.
|
| There is very little reason for an employee to care about
| preventing a failure they will not be directly held
| accountable for. I don't care if we lose clients. I don't
| care if we get hacked.
|
| My life is not impacted one way or another by whether the
| divisions I work in succeed or fail, unless they utterly
| fail.
|
| So if this Intune thing landed on my desk, I would do nothing
| about it. Give me some incentive to care and I would.
| avgcorrection wrote:
| > Leadership.
|
| Cringe.
|
| Apparently most managers can't even manage properly. Most of
| the time this "ship" word is tantamount to stolen valor in
| the workplace.
| tremon wrote:
| Most managers aren't leaders. Yes, leadership is the
| solution here, and it's not cringeworthy. Manageship is.
|
| In dysfunctional organizations, the management structure
| exists to rein in true leaders. In a healthy organization,
| leaders are recognized and supported by management, whether
| they're in management positions themselves or not.
| avgcorrection wrote:
| I recoil precisely because this in practice is a mythical
| concept that managers and others in formal positions of
| bosshood self-aggrandize about.
| acomjean wrote:
| I remember asking the facilities person responsible about an
| office move 3 times. I was ignored. I emailed a manager about
| moving my office. I was polite. I was ignored again. A
| coworker suggested emailing the department head.
|
| Within a minute the deptartment head forwarded my request to
| the manager who was ignoring me and told him to take care of
| it. It was promptly. I got the email chain when it was done,
| there was some comment from the manager who ignored me to the
| facilites person who ignored me, that it "should never have
| been allowed to escalate.."
|
| I don't miss big companies sometimes.
| raverbashing wrote:
| Yeah I love that attitude
|
| Don't want the issue to escalate? Then maybe do the job
| you're paid to do
| spc476 wrote:
| The company I worked for got bought out, and new management
| took over (of course). I kept raising issues about how
| broken the new "Agile development system" was. My
| complaints hit a VP level, who was "looking into it." Until
| said VP was "let go" and replaced. New VP said, "How
| unfortunate" to my complaints.
|
| So much for escalation. I no longer work there (I left; I
| wasn't fired).
| chemmail wrote:
| So you are telling me, the some of the highest value
| companies, like APple and TEsla having two huge asshats at
| the top means something?
| advisedwang wrote:
| The author goes on to say centralized IT procurement. I.e. IT
| should have been the one supply devices, in which case they'd
| have replaced all the relevant devices rather than it being the
| responsibility of every dept.
| MagicMoonlight wrote:
| Set aside a percentage of the cost each year in a pot so that
| when you need to buy you can just use those savings instead of
| draining your entire budget.
| pm3003 wrote:
| Some low level guy using an opportunity to alert upper / upper-
| middle management, more or less backed by his or her middle
| manager.
|
| Seen some years ago. A mail was then sent from CEO to CxO along
| the lines "it seems there's something hiding under a rock
| there, please check it out". The guy who talked about the thing
| was a recognized expert in his own domain, while the CEO was on
| a kind of "thumbs-up tour". The manoeuver had been briefly
| discussed with the expert's hierarchical chain and pitched as
| an opportunity for action rather than "those guys don't do
| their jobs".
|
| A small shitstorm followed in middle management, at the end the
| problem was quickly solved, deemed "not that important in the
| end", and since no one was at fault and no one innocent,
| everyone quickly went quiet again.
| protastus wrote:
| The solution is escalation.
| tedunangst wrote:
| Who should escalate to who and what should that person have
| done in this scenario?
| madaxe_again wrote:
| Correct answer. You do not win by playing a defensive game,
| and it's essential to realise that _the organisation's goals
| are not your goals_.
|
| The correct strategy here is to go on the offensive. Make
| friends with your manager's manager's manager. Just go full
| on social bribery mode. Invite them for Christmas dinner.
| Even if they decline, it will make them remember you, and
| next time, ask them to a barbecue or a picnic instead, and
| they'll say yes. If you can't throw that high, shoot for your
| manager's manager. Once you're in, get the dagger in your
| manager's back, but only once you've made them a pariah, take
| their role, and repeat until you retire wealthy. Remember to
| take every opportunity to accrue political capital.
|
| Eventually you will be in a position to fire people who make
| poor decisions, but you won't, because the salary is good,
| and retirement is only a few years off.
|
| You literally cannot prevent this behaviour in any human-
| operated organisation of any scale beyond a fistful of people
| - you can only co-opt it.
| kulahan wrote:
| Yep. The whole point of escalation is so someone can tell
| everyone to shut up and do X. Solves all these problems.
| mrguyorama wrote:
| The solution is to stop treating upper management as gods who
| can do no wrong, and start firing them for creating hostile and
| terrible systems.
| bauble wrote:
| Leadership.
| PenguinCoder wrote:
| *Better leadership.
| sidewndr46 wrote:
| This reminds me of a particular project that I was tangentially
| involved in. It had a large capital expenditure at the start of
| it. After working there for a few years, I eventually realized
| the project was scheduled for next quarter. Literally. As in,
| no one ever wanted to take the budget hit this quarter so it
| was always just included in next quarter's budget.
| wisemang wrote:
| "Q5"
| Blackthorn wrote:
| Finding and solving issues like this is one of the reasons
| leaders get paid. If they aren't doing their job, there's
| nothing you can do about it.
| zokier wrote:
| People parrot "leadership" as if saying that people need to do
| better makes it happen. More constructive suggestion is to make
| sure these sort of things get good post-mortems, even better if
| publicized and made case studies in mba curriculums. Thats
| would have at least a chance of people learning how to be
| better leaders.
| throwawaysleep wrote:
| Employees need incentives to prevent problems, even if they
| aren't responsible for them.
|
| In this case, the smart thing for every person who could have
| done something was to take no action, as they would get no
| credit for preventing a problem but would take a budget or
| resource hit for doing so.
|
| I am a fire fighter, not a fire marshall. Fire fighters are
| heros. The fire marshall is a pest.
| game_the0ry wrote:
| > What's the solution?
|
| Archive those CYA emails and enjoy the popcorn as you watch
| management sink on the Titanic.
| AndrewKemendo wrote:
| Yup - and guess what, the only people hurt by this are the lowest
| level people. No manager or exec will feel any pain from this
| incompetence. Someone who isn't responsible but couldn't do their
| job effectively as a result is having a worse life now.
|
| This is one of the primary reasons why I am totally done with
| Tech
|
| The distance between users and builders is so excessively far
| apart now and the levels of abstraction for actually building
| things that are robust is just not even a consideration in
| software-centric design. Literally everything you have built
| after IDK 2000(?) will have exactly this issue. Just hope you're
| not at a scale that crushes people.
|
| Software is the language of alienation and increasingly becoming
| unethical, as these systems are becoming increasingly impactful
| on the most vulnerable with no buttresses or supports preventing
| this kind of malfeasance.
|
| It's not trivial. These are people's livelihoods at stake.
| MilStdJunkie wrote:
| Unfortunately not limited to tech industry. I watched a
| publications department sit on a blacklisted application stack
| for five years, as IT - with plenty of warning - kept screaming
| that it was going to get turned off.
|
| A complete absence of tool selection, migration, or any
| preparation whatsoever, because the new tool couldn't be funded
| from leadership, so the horrible ship kept belching forward.
| Until it was shut down. End result was seventeen people sitting
| on their thumbs for years.. and a totally fragged publication
| environment that never recovered, the product of which will -
| at best - be waived on future contracts at some incredible
| cost. At worst, it will be yet another barrier to the already
| marginal business.
| spelunker wrote:
| IMO most reasonable managers would not blame the individual
| contributors for not being able to do their job because of a
| security and procurement issue that is out of their hands. I
| suppose it can happen, but if you're working at a place that
| has management like that perhaps it's time to look around.
| scns wrote:
| Claiming responsibility or shifting the blame, what is better
| for your career?
| brazzy wrote:
| > Software is the language of alienation and increasingly
| becoming unethical, as these systems are becoming increasingly
| impactful on the most vulnerable with no buttresses or supports
| preventing this kind of malfeasance.
|
| This doesn't really have that much to do with software. As with
| many other things, software can make it easier to have this
| kind of crap, but it is not the cause and not a prerequisite.
|
| Case in point: Franz Kafka wrote _The Trial_ 30 years before
| ENIAC.
| opamp wrote:
| > No manager or exec will feel any pain from this incompetence.
| Someone who isn't responsible but couldn't do their job
| effectively as a result is having a worse life now.
|
| > This is one of the primary reasons why I am totally done with
| Tech
|
| Is it that much better in other fields?
| AndrewKemendo wrote:
| Yes. For example German workers have better than average
| protection from exploitation
|
| This is from 2018 and shows where you can actually have some
| rights as a worker. It's not hopeless: https://www.ituc-
| csi.org/IMG/pdf/ituc-global-rights-index-20...
| tedunangst wrote:
| German workers have protection from their company owned
| laptops being disabled?
| sillyquiet wrote:
| no, its not. Not in any white collar professions, not in any
| blue collar jobs, not in the military, not in academia.
|
| You are only safe when you don't have bosses and all
| responsibility and power rests on yourself.
| AndrewKemendo wrote:
| Almost...you find coworkers and share responsibility
| mutually. You don't need to put it all on your own back.
| Xeoncross wrote:
| As I sit here spending hours and hours importing packages,
| installing modules, downloading tools, finding libraries,
| patching scripts, following deployment guidelines and building
| gigabytes and gigabytes of artifacts ...for what amounts to a
| mobile app wrapper around HTML pages.
| api wrote:
| The disease has a name: over engineering.
|
| https://www.smart-jokes.org/programmer-evolution.html
|
| Most working programmers are in the middle near "seasoned
| professional." They spend all their time thinking about how
| to manage complexity when they should be thinking about how
| to avoid it.
| AndrewKemendo wrote:
| Oh my I hadn't seen this before and it is divine!
| pas wrote:
| The app epidemic is mostly thanks to one single dead dude.
| Of course it made (and continues to make) billions to
| Apple. Then naturally half the industry wanted in on the
| app store game.
|
| Eventually it might stop being such a cash cow - maybe
| thanks to endless numbers of teenagers hyping Fortnite.
| anyfoo wrote:
| That's one of the reasons I like my low level system
| programming job (maybe you could call it "embedded"). Of
| course it has problems of its own, but this particular area
| is at least a little bit better.
| joezydeco wrote:
| Except the pay sucks. You can make a lot of money
| concatenating HTML strings.
| anyfoo wrote:
| That is not universally true.
| spoils19 wrote:
| That is universally true.
| OrbOfConfusion wrote:
| This is extremely untrue; a barely competent embedded
| developer can make gobs of money. It's a much rarer
| skill, somewhere at the intersection of software
| developer and electrical engineer.
| [deleted]
| LorenPechtel wrote:
| Management will suffer when this mess results in them
| underperforming.
| sneak wrote:
| I think this is a common refrain but no line-level worker is
| losing their livelihood because they were part of the 25% of
| the company whose machine just stopped working.
|
| If anything they are part of the 25% of the company who just
| got a few extra paid vacation days.
| throwawaysleep wrote:
| 1. The people to blame here are not the builders.
|
| 2. The people impacted are employees who now have a few days
| chilling. I would love to have this problem as an employee.
| danjc wrote:
| As much as I hate the concept, sometimes brownouts are the only
| way to force people to make a change and avoid complete disaster
| on D day
| nunez wrote:
| Scream testing is underrated for sure.
| danpalmer wrote:
| Why do you hate the concept? I've seen it done a few times in
| different areas and I think it's a neat way of notifying people
| in large organisations/ecosystems. As long as the brownout is
| done after the support period, i.e. it's "contractually" ok to
| do so, it seems like a good idea.
| jaywalk wrote:
| Brownouts can be very useful in finding impacted systems that
| may have been overlooked as well. Last month, I had to do
| some updates because a customer's API had moved to a new URL
| on a new server. My team and I identified (what we thought
| was) everything using the API and did the updates.
|
| A week later, the customer notified us that they were still
| seeing some traffic on the old URL, but all they could give
| us was the IP address it was coming from. Unfortunately this
| IP address belonged to a server that hosts a lot of our
| smaller applications, so it didn't really help locate the
| offender. So I just added a firewall rule to block access to
| the IP address of the customer's old server, and sure enough
| I heard the scream 15 minutes later. Removed the rule to get
| that application back up and running, got it updated to the
| new URL, and all was good.
| ploum wrote:
| In "Work without email", Cal Newport explain a case where a whole
| financial institution was margin-called for the exact same
| reason.
|
| They knew it was coming. They were willing to fix it. They spent
| weeks exchanging emails on how to setup a meeting to solve the
| problem. The problem eventually solved itself.
|
| Had a pretty similar experience with management early in my
| career that was wide-opening on how incompetent every single
| manager was. Became a manager myself with the intention of
| avoiding that. I could not. Changed career path.
| momojo wrote:
| > Became a manager myself with the intention of avoiding that.
| I could not. I appreciate the honesty. What was that experience
| like?
| ploum wrote:
| As a manager, you simply don't have the time to dig into
| technical issues. You can't take uninterrupted 4 hours to
| enter into the code and debug something. When you are a new
| manager with a deep experience of the technology, you don't
| see it immediately. But the longer you manage, the more your
| experience become irrelevant (for example: my team switched
| from Angular to React. I never did any React and there was no
| way for a manager to dig into it at the same rate as the
| team).
|
| It took me two jobs as a manager to realise that, at least in
| software development, a manager's job is to pretend. To make
| uninformed decisions and lead the team without understanding
| anything of what is happening. You also spend your time
| negotiating with upper levels that want everything without
| even thinking about the implications (I'm not talking about
| costs or time, I really had meeting with really high levels
| managers who asked me, straight in the eyes, to make "a
| solution with all the advantages and without the
| disadvantages" and they were very proud of their line).
|
| I learned that very high level management meeting are dumb
| and boring, that those people don't even have the slightest
| clue what they are talking about and spend hours discussing
| micromanagement discussion (I attended a very high-level
| meeting where I replaced my n+1 and they litteraly spent one
| hour discussing who should send an email to X to ask him to
| send an email to Y. I took notes of that one because I feared
| nobody would believe me).
|
| But I also reached the conclusion that managers are
| necessary. I even had a very good one who told me after one
| week: "I'm a manager, I have no idea how you are doing your
| thing. My job is to set a goal with you then your job is to
| ask me every time I could help with your job. Also, I'm here
| to insulate you from the administrative shit".
|
| I tried to become a manager like that. I also lived by the
| credo: "If anything fails in my team, it's my fault, I will
| not put the fault to individuals in my team".
|
| I learned that this work only with very good teams and
| independant individuals. Some people need to be taken by the
| hand and a good manager will offer psychological help. But
| this only work if the layer above is also working that way. I
| ended fighting with my N+1 because they absolutely wanted to
| fire someone from my team.
|
| Needless to say, a CEO and friend told me I was not a good
| manager. I would never become one if I didn't change the way
| I was looking at things.
|
| So, in conclusion : there are good managers. But they do not
| last long. They either quit or becomes bad managers which is
| the only way to climb in the hierarchy : lick upper levels
| asses and tell them that any problem is because of the
| individuals in your team. If you do that properly, you will
| never stay long enough in a team to have any impact anyway.
| Don't try to deliver. Pretend you do it by saying it in a
| powerpoint. And tell your developers that everything is due
| yesterday.
| tester457 wrote:
| > Needless to say, a CEO and friend told me I was not a
| good manager. I would never become one if I didn't change
| the way I was looking at things.
|
| They rather you be the bad manager that plays the hierarchy
| game?
| mnw21cam wrote:
| "To use the Mastodon web application, please enable JavaScript."
|
| I don't want to "use the Mastodon web application", whatever that
| means. I just want to read a web page like a normal person.
|
| _Sigh_ Does anyone have the article text handy?
| [deleted]
| dredmorbius wrote:
| There is at least one open issue on the Mastodon github project
| requesting basic functionality without requiring Javascript.
| Which notes that this is clearly already possible:
|
| "Show post content at standard post URLs when JS is disabled
| instead of just 'enable JavaScript' message, since this is
| already done for /embed URLs #23153"
|
| <https://github.com/mastodon/mastodon/issues/23153>
| phyzome wrote:
| Yes, unfortunately Mastodon 4.0's public web interface now uses
| JS to render threads. Lots of people are mad about it.
| Aachen wrote:
| It's rumoured someone could patch it and run their own.
| Haven't tried for myself. Seems like a lot of work and
| JavaScript is pretty convenient as compared to full page
| reloads or frames.
| weberer wrote:
| Don't know why your comment is grey. Forced Javascript is a
| blight on the internet.
|
| https://archive.is/fxqui
| aaron695 wrote:
| Because it's ok you guys are babies but it's not ok to tell
| us everytime you go potty.
|
| It's banned in the rules on the site. No-one wants to hear
| about your off topic journey of self discovery. Maybe Reddit
| does?
| arcanemachiner wrote:
| JavaScript is fine. It's just a tool. Like a hammer.
|
| A hammer can be an important part of building breathtaking
| architecture. It can also be used to gouge somebody's eyes
| out.
|
| Just like JavaScript.
|
| EDIT: That "web app" was very nice to use.
| deanCommie wrote:
| > Forced Javascript is a blight on the internet
|
| Do you genuinely believe this is still an open question?
|
| I won't dispute the argument that maybe it was a mistake, but
| to me it seems indisputable the ship has sailed.
|
| I _might_ buy the argument that any "mandatory" websites -
| government, library, academic - should be operational without
| Javascript.
|
| But in the casual or entertainment domain, noone is obligated
| to provide their users an operational Javascript-free
| website. If you can't read something without Javascript,
| that's a you problem.
| NotYourLawyer wrote:
| Most websites are far better with JS disabled. They're
| responsive, they have fewer ads, they don't assault me with
| autoplaying video/audio, they don't track me (as much),
| they don't make my laptop fan spin up and waste my battery.
| Just absolutely better in every way.
|
| Some websites don't function without JS. I either enable it
| on a case-by-case basis, or avoid those websites.
| savanaly wrote:
| >Please don't complain about tangential annoyances--e.g.
| article or website formats, name collisions, or back-button
| breakage. They're too common to be interesting.
|
| From https://news.ycombinator.com/newsguidelines.html
| pc86 wrote:
| I actually upvoted the comment because it's true (and it's
| positive now anyway), but it was probably negative because
| people complaining about the platform on which a given link
| is posted is pretty boring, and happens pretty regularly.
| Surprisingly regularly especially when you consider that
| approximately 0% of regular web users have JS disabled so
| there's not exactly a strong incentive to build for that
| crowd.
| 0xbadcafebee wrote:
| Blight on the web, you mean. The internet is what you pass
| packets over. The web is what you pass memes over.
| gpderetta wrote:
| I'm sure there must be an IP-Over-Meme implementation
| somewhere.
| EvanAnderson wrote:
| The Internet is a thing is used to pass HTTPS which we then
| tunnel all new protocols over.
| kissgyorgy wrote:
| If you turn off JavaScript, just shut the fuck up please and
| don't read the story.
| netsharc wrote:
| I'm going to make my own HN, with JavaScript requirement, so
| all the "Doesn't work with JS off"-whiners never make it in.
| And blackjack!
| rcoveson wrote:
| Popular opinion of the decade: Social media is vile.
|
| Why are we live-tooting (ugh) our client's private disasters? The
| indiscretion is staggering.
|
| This account casts its author in as bad a light as it does their
| client. I wouldn't want to work with either.
| A4ET8a8uTh0 wrote:
| I will admit that it caught my eye too. No names were
| mentioned, but how difficult would it be to determine who the
| client was/is? Then again, most companies these days have a
| 'social media' clause in their contracts so that you don't do
| around saying things you shouldn't about your work.
| mjw1007 wrote:
| Thirty years ago you might have read a similarly-anonymised
| account of the incident in the risks digest.
|
| I don't think the reporting being 'live' makes it much better
| or worse, though it probably wastes more of the readers' time.
| macspoofing wrote:
| >Why are we live-tooting (ugh) our client's private disasters?
|
| Indeed. I'm glad they are, because it is fascinating but very
| odd. I'm sure it's not hard to identify the customer either.
| guhidalg wrote:
| I'm glad they are too. Let's take another example: what if
| the client was a healthcare provider and instead of us merely
| chuckling at the inconvenience of losses we witnessed deaths
| from management's incompetence. Would you still want the
| event to stay confidential if someone you knew died? I'm glad
| someone is discreetly share details of the situation to
| signal to the world "Hey if you fuck up compliance people can
| die, please don't do it like this" instead of keeping it
| confidential.
| LordDragonfang wrote:
| >I'm sure it's not hard to identify the customer either.
|
| OP seems rather sure of the opposite:
|
| >But I felt I needed to address one particular concern that
| has been repeatedly raised. That of the identity of the
| company in question.
|
| >I'm a professional, and I've been doing this a long ol'
| time. There is no way I'm going to risk the identity of the
| company, or my reputation, or the potential legal
| consequences for some interaction on social media.
|
| >So to clarify, enough details of the incident and those
| involved have been changed to protect their identity and
| everyone else involved. I am confident that you could work at
| the company involved and not even be aware this happened,
| even after reading this Partly due to scale and partly due to
| managerial secrecy.
| cschep wrote:
| I found the writer to be downright empathetic. People make
| these decisions on purpose to cause their employees this much
| pain and you're worried about defending their feelings from a
| writer who is actually deploying empathy? I am so confused by
| this position.
|
| If the writing was nasty and exposing specifics, sure, but it
| very much is not.
| luckylion wrote:
| > People make these decisions on purpose to cause their
| employees this much pain
|
| Do you actually truly believe this?
| rcoveson wrote:
| I'm not defeding the "feelings" of the company. I'm pointing
| out unprofessional behavior encouraged by a culture of
| oversharing.
|
| Journalists and other outside observers can and should write
| about corporate incompetence wherever they find it. When
| you're in a paid position of trust, though, talking about
| your client's failings is tacky.
|
| I agree that the writing isn't nasty. The specificity is the
| key. I guess to some people this came across as sufficiently
| anonymized. To me, it seems like anybody working at this
| place knows that the auther is talking about their company,
| which is a problem in and of itself. But it also means we're
| just one equally-indiscreet reply away from knowing exactly
| who this is (something like "yeah, I work here and...").
| Though I really don't think that even that much additional
| info is necessary to deanonymize this. Just a hunch;
| obviously you disagree.
| hgsgm wrote:
| Which of these two anonymous organizations will you be
| boycotting?
| rcoveson wrote:
| The author's account is about as anonymous as Lemony Snicket
| is pseudonymous. Technically, but not practically.
|
| Don't get me wrong, I don't dislike this person. It's not a
| "boycott". I'd just prefer not to be their customer, because
| this story goes a bit over where I'd draw the line of
| oversharing. I don't imagine that it will every actually come
| up, and I hope it never does.
| kneebonian wrote:
| Because we all learn from it can see what went wrong and what
| didn't and overall become better practioners, whereas in the
| old days everyone would be making the same mistakes and no one
| would learn from them.
|
| Also he made pretty clear that he was anonymzing it to the
| point it would be incredibly difficult to tell.
| smcg wrote:
| "Hey, there's a rake up ahead. I'd recommend not stepping on it."
|
| "Ow! Why did this happen?"
| gtsteve wrote:
| Yes I remember this from my consulting days well.
|
| Me: If we do A, B will happen
|
| Client: Do A anyway, we'll deal with B later.
|
| (time passes)
|
| Client: OH MY GOD B HAS HAPPENED
| aidenn0 wrote:
| A friend of mine started writing his predictions and putting
| them in sealed, dated envelopes. He said the 3rd time he
| pulled one out Carnac[1] style, management actually started
| listening to him. Nobody really got "I predicted this 18
| months ago" but the theatrics apparently drove the point
| home.
|
| 1: https://en.wikipedia.org/wiki/Carnac_the_Magnificent
| hprotagonist wrote:
| doctor, doctor, it hurts when i do $this
|
| well don't do $that then
| Oxidation wrote:
| Private healthcare: there is only one dollar sign and it
| changed hands between those sentences.
| mdip wrote:
| Oh, do I remember these days. I spent 17 years at a global multi-
| national telecom through two mergers and a bankruptcy (and a
| half). We were a large organization (between 5,500 and 22,000
| depending on the year).
|
| During much of that time, "who paid for what" was a big issue.
| The thread alludes to the issue: IT says "you need to buy new
| hardware every _X_ years ", department already has less than no
| budget, has no budget for new PCs and perceives no _need_ for new
| PCs for workers that could get away with much less than they 're
| using, now.
|
| It was a funny little game that was played because IT would get
| dinged in their compliance metrics if staff was out of date (and
| staff _hated_ old hardware /blamed IT), but management would get
| dinged for spending too much and have little incentive to buy new
| hardware until the last second. Meanwhile, C-Level executives on
| both sides get to say "your problem". The difference, here, is
| that someone gave IT a pretty large sledge-hammer and permission
| to use it in order to force departments to push for more budget.
| In our case (and I'm sure others), a bit (a lot?) of non-
| compliance was normal.
|
| Personally, I think the take that "IT should own the budget"
| isn't as great as it sounds. It solves one problem: distributing
| the payment among budgets creates a "shared responsibility" that
| ultimately becomes "pass the buck". It also happens low enough
| from C-Levels that "they don't have to think about it."
|
| Having IT own the budget solves this because at least _one_
| C-Level is going to have to account for a large enough expense
| that it 's likely to be a little better planned for.
|
| It won't _always_ be better planned for ... depending on the
| company or manager, it won 't _often_ be better planned for.
| Unfortunately, the consequence of this poor planning only extends
| to the IT budget. Since compliance is non-negotiable, the largest
| line-item on the budget -- IT 's staff -- is the next hit. In the
| former model, "making the budget deficit up" is naturally spread
| throughout the company, in this model, it all hits IT.
| pas wrote:
| All in all this is business as usual. You can't work because
| your work device is unfit to do the work? It's not really your
| problem as an employee. It's the employers' responsibility to
| provide the tools, and it's up to each management how they
| solve it, with what trade offs. This one picked "bugdet first,
| compliance second, worker/client satisfaction and business
| continuity last".
| manv1 wrote:
| The cost should be billed to the department with the users that
| were affected. The laptops are assigned to those employees, so
| normally any kind of compliance/spend should be associated with
| them as well. It doesn't matter if those costs are mandated by
| compliance, it's up to each department to keep up.
|
| FYI for those non-corporate readers, if there's an actual
| compliance department that means that the cost of non-compliance
| is really, really high. That either means financial or
| government/DoD.
| deepsun wrote:
| Kudos to Compliance team to keep the high bar on their work and
| not let anyone go like "oh this superuser password is just for
| testing and telemetry, we certainly won't forget to remove it
| before release".
| kabdib wrote:
| I _never_ let a company have access to my devices. They can buy
| me a phone if they want to (the last place I worked did).
| mousetree wrote:
| In my experience most companies would provide the device if
| they require MDM. Would definitely be a hard no if they asked
| me to MDM a personal device
| aidenn0 wrote:
| Pretty much every MDM advertises BYOD support, so presumably
| _somebody_ is doing that?
| Macha wrote:
| I know our company lets you BYOD if you don't want to deal
| with also carrying around the company supplied devices.
| They have the opposite problem, as the company lets you
| pick between the top end iPhone and Samsung with a 2 year
| replacement window, so people are tempted to use their
| company supplied device as their personal device also.
| whstl wrote:
| I once worked at a company that paid "device rental" money to
| employees that used their own devices. It needed MDM, but you
| could rescind it at any time. Some co-workers would finance
| laptops and use the "rental" money to pay the installments. I
| did the math and it wasn't worth it for me, though.
| advisedwang wrote:
| The thread talks about getting extended manufacturer support,
| which suggests they are all the same device, which suggests
| this _was_ company provided devices.
| Aissen wrote:
| That's the thing, it's not your device, it's your work device.
| rejectfinite wrote:
| Yes. But MDM/Intune can also be set to company devices.
| kabdib wrote:
| Exactly.
| paultopia wrote:
| I could easily see any big university perpetrating this.
| twawaaay wrote:
| The CEO will have a convo with two of his managers that will
| resemble me when I talk to my two sons when they get into a fight
| and start pulling out all of their excuses.
| somecompanyguy wrote:
| apparently nobody quantified the projected losses, because that
| would have caused this to not be ignored. i blame everyone
| involved including the service provider. everybody did something
| wrong
| charles_f wrote:
| We need a retrospective, how could you let this happen?
| tenebrisalietum wrote:
| 1. You told us to do it.
|
| 2. We did it.
|
| 3. It was done.
| Oxidation wrote:
| 4. Bonuses all round?
| jenadine wrote:
| I don't understand what's going on? What kind of devices are we
| talking about?
| db48x wrote:
| Probably laptops.
| GartzenDeHaes wrote:
| OP mentioned Microsoft Intune, which is used to manage phones
| (System Center is used for laptops).
| ollien wrote:
| I've since left my gig with MS systems, but I seem to recall
| seeing some sort of InTune client on my laptop. Is my memory
| failing me or is the client just weirdly named?
| jabroni_salad wrote:
| intune is the cloud replacement for Configuration Manager.
| It's been renamed a bunch of times over the years. I'm
| pretty sure they call it Endpoint Manager right now.
| rejectfinite wrote:
| Laptops. This is using Microsoft Endpoint manager/Intune when
| they talk about "compliance".
|
| IT admins can set a policy like "must have 6 number PIN for
| login", if it does not then it is out of compliance.
|
| This can mean nothing at all but if the company wants to act on
| it, it can.
| wstuartcl wrote:
| and it sounds like in this case, anything that was out of
| compliance (in any regard) was acted on by wiping the device
| and deregistering it on the deadline day -- read this as 1700
| laptops or desktops getting wiped in one day.
| harel wrote:
| I like his avatar image. I've just finished restoring and pumping
| some steroids on an Amiga 500. It's still open next to me and
| it's nice to have that logo pop up on an unrelated context.
| dijksterhuis wrote:
| > Service Desk is now aware that everyone else except them was
| aware, and now IT is absolutely incandescent.
|
| I see that life as enterprise service desk hasn't changed much.
| "Nobody tells me nuthin!"
|
| Shout out to the ever under appreciated service desk folks out
| there.
| Spivak wrote:
| I would be _giddy_ with excitement if I worked IT for this
| company. Yes pleeeeease let me answer phone calls, put me in,
| coach.
| IIsi50MHz wrote:
| I somehow often interpret "Put me in, Coach." as "Put me in
| coach." for moment before the feeling of "O, god no!" and
| memories of hours discomfort are replaced^W^H overlain with
| understanding it's meant as an appeal for being allowed to do
| the thing.
| MichaelZuo wrote:
| Sounds like a wonderful niche for a startup to innovate in and
| ensure up-to-date communication. Though I'm surprised such a
| service isn't already offered by Zendesk et al.
| kneebonian wrote:
| There are actually several startups that are tackling the
| problem of organizational change management and
| communication.
|
| You may have heard of some of them, ServiceNow is one, SAP is
| another, some small companies like that.
|
| It turns out there is not a technological solution to a
| management problem.
| icelancer wrote:
| >> It turns out there is not a technological solution to a
| management problem.
|
| Been my favorite saying at my small business for years now
| when people propose technological solutions to HR issues.
| That isn't gonna cut it.
| browningstreet wrote:
| I wonder what a good ServiceNow implementation looks like.
| I've been at a few enterprise orgs now and all their SNs
| are.. beyond terrible. The hosted SAAS performance is
| agonizingly slow. If this is ITIL personified... I'm
| aghast.
| NovemberWhiskey wrote:
| ServiceNow: when filling in an incident ticket takes
| longer than resolving the incident.
| MichaelZuo wrote:
| Are you sure there isn't even a partial solution?
|
| I can imagine the brute-force approach:
|
| Log every intra-company communication, and if some
| communication was meant to go to department X, Y, Z, and it
| only went to X, Y, then a flag would be immediately raised
| to department Z's attention and whoever sent it.
|
| Of course the personnel in department Z might review it but
| ignore it anyways, but at least now there's a paper trail
| of who's at fault.
|
| An Exchange system already gets you 80% of the way there if
| you force all on-the-record communications via email.
| kneebonian wrote:
| > Of course the personnel in department Z might review it
| but ignore it
|
| That's the problem right there. One of my clients had a
| large IT organization of over 1000+ employees, with
| strict change control rules, and procedures that were
| tracked in SN. Every time there was a change management
| meeting everyone who could possibly be effected would get
| an email from Service Now notifying them of the upcoming
| changes.
|
| Pretty much engineer ignored those emails, because there
| was so much going on in the org you'd get dozens of
| emails in a week and most of them you'd only be
| tangentially effected by, meanwhile you had your work to
| do.
|
| So the problem isn't getting the notifications out it's
| getting people to pay attention to them.
| MichaelZuo wrote:
| I don't see how that's a problem for the organization.
|
| Individual preferences do vary, one ignores 90%, another
| 95%, another 100%. And the one who's ignoring 100% of
| them will likely eventually make a mistake that otherwise
| wouldn't have happened.
|
| But it will be fairly straightforward to resolve, after
| all there's an extensive paper trail as the chain of
| custody seems clear. Assuming the "change management
| meeting" emails were the approved means of communication.
| nordsieck wrote:
| > I don't see how that's a problem for the organization.
|
| IMO, one of the lessons that came out of Chernobyl is
| that it absolutely is a problem for the organization.
| Exposing people to too many "alarms" that are constantly
| going off will cause people to start ignoring them.
|
| Part of good design is figuring out which things are
| truly important, and how to communicate that to the
| people who are supposed to be paying attention.
| MichaelZuo wrote:
| The analogy seems not to apply?
|
| The emails mentioned by the parent don't sound like
| alarms. Because an alarm is usually for 'drop everything
| and focus on this' situations.
|
| The equivalent in email terms would be a receiving an
| email with a subject in ALL CAPS bolded and underlined.
|
| Or in general intra-company communication terms, a phone
| call from your boss without any pleasantries and a
| serious voice.
| Volundr wrote:
| Alarm or not doesn't really matter. If a person is
| receiving a signal that does not affect them most of the
| time they WILL start to ignore that signal. Many will
| attempt to combat this with policies and consequences,
| "Make sure your reading these e-mails, or else!" but it's
| a fruitless endeavor. Humans will human. Better to
| recognize that and build your systems around it.
| MichaelZuo wrote:
| So what?
|
| If someone makes the wrong decisions because they start
| ignoring signals then don't promote them or give them
| important coordinating responsibilities. Those who are
| capable of filtering out a larger fraction of noise do
| exist.
|
| Of course there will always be folks whose preference is
| to read near 0% of their emails, but that doesn't imply
| organizations must be designed around them.
| post-it wrote:
| Finding someone to blame doesn't matter if the company
| goes bust.
| Volundr wrote:
| > If someone makes the wrong decisions because they start
| ignoring signals then don't promote them or give them
| important coordinating responsibilities. Those who are
| capable of filtering out a larger fraction of noise do
| exist.
|
| This is simply wishful thinking. Outliers certainly
| exist, but the idea that there are sufficient number of
| them that you can just ignore human nature is a path to
| disaster. You'd have to somehow accurately measure not
| just who is opening these noisey e-mails, but what they
| are retaining from them, and measure it over a large
| period of time, knowing that the vast majority or going
| to fail. It's far cheaper and more reliable to fix your
| noisey system than to try to outwit human nature.
| alexvoda wrote:
| You appear to not have experienced intra-corporate spam.
|
| When __everything__ is _highly important_ and #urgent#,
| nothing is important and urgent.
| Karellen wrote:
| It sounds like what you're suggesting is that, so long as
| you know who to blame for the problem, it doesn't really
| matter how bad the problem is when it hits you? Even if
| the company goes insolvent because of the problem, if
| you've got someone to point to and say "their fault",
| it's not a problem for the organisation?
|
| That... doesn't sound like a great approach to me.
| fishpen0 wrote:
| It sounds like the actual problem is getting too many
| meaningless notifications, inadvertently training people
| to ignore everything
| cbtacy wrote:
| Ironically, one of the first things I learned working in
| software businesses (a long, long time ago now) was the
| following:
|
| Human problems require human solutions. Tooling problems
| require tooling solutions.
| fragmede wrote:
| More traditionally phrased as technology alone can't
| solve social problems.
| mschuster91 wrote:
| Oh god. ServiceNow... I have yet to see an implementation
| that did _not_ end up a shitshow.
| kneebonian wrote:
| I know, the funny part is it is still leagues better than
| what the client had before it HP Service Manager. Imagine
| something so bad that SN makes you feel happy in
| contrast.
| mschuster91 wrote:
| I swear we could have worked for the same company lol.
| They migrated from HP to SNow... not much of an
| improvement.
| weego wrote:
| You can't add more stuff into a situation where the major
| blocker is human apathy.
| MichaelZuo wrote:
| Well 'human apathy' can be logged at the least so that
| finger pointing games don't happen.
| kjs3 wrote:
| Let me guess...you've never worked at a large,
| bureaucratic organization.
| MichaelZuo wrote:
| I have. What makes you think otherwise?
| fragmede wrote:
| Then you're extremely lucky to have worked in a huge org
| where logging of apathy managed to actually avoid finger
| pointing games.
| ilyt wrote:
| "We need that machine tomorrow?"
|
| "Why didn't you tell us you hired something new?"
|
| "They work here for 2 weeks now"
| dylan604 wrote:
| are new hires really being referred to somethings now?
| Oxidation wrote:
| Chinese lesson one: don't call someone a "thing".1
|
| Chinese lesson two: _really_ don 't call them "not a
| thing".
|
| 1: Also it's still my favourite, uh, thing that the word
| for a "thing" is, literally, an "east-west".
| ye-olde-sysrq wrote:
| Is the lesson for native-chinese-speakers about speaking
| English? If so, interesting, I haven't actually seen this
| (presumably common?) oopsie before. It also hadn't
| occurred to me how crushing of an insult it is, but damn
| yeah it sure is.
| st_goliath wrote:
| No, it's a Chinese lesson.
|
| A "thing" or "stuff" in Chinese is Dong Xi (dongxi).
| That's _literally_ "east-west" if you pick the individual
| characters apart. That's what the footnote refers to.
|
| Calling somebody Bu Shi Ge Dong Xi (bushi ge dongxi)
| means something along the lines of being good for
| nothing, i.e. an insult. Translating it _literally_ , it
| would be calling somebody "not a thing".
| smiley1437 wrote:
| That's a pronoun I haven't seen yet
| mrguyorama wrote:
| Honestly it's a way more accurate reflection of how
| managers see employees
| flerchin wrote:
| :feels:
| dylan604 wrote:
| ?? Isn't feeling the employees an HR violation?
| kevin_thibedeau wrote:
| Only if the employee decides they were harassed. This was
| a "loophole" in a harassment training package a former
| employer used. Basically if you were of an ilk that will
| always be believed by HR you get a blank check on what to
| consider harassment. A classic some are more equal than
| others scenario.
| TomK32 wrote:
| Nihilist, pronouns something/whatever.
| rozab wrote:
| A few people are using it/its (like crimew, the hacker
| who did the no fly list thing), and I think they often
| prefer this sort of construction
| aaronmdjones wrote:
| Ah, service desk is the organisation's mushroom; kept in the
| dark and fed on s**t.
| bmitc wrote:
| > "Nobody tells me nuthin!"
|
| Nice _Hot Fuzz_ reference.
| Kye wrote:
| Actual footage: https://www.youtube.com/watch?v=DXPtCBcOvu0
| jmholla wrote:
| Mostly unrelated, but I hate websites like this that think
| they're way of handling arrow keys for scrolling should be
| implemented over how every other web page does it. I lost my
| place so many times when I mindlessly tried to scroll again with
| the arrow keys.
| gambiting wrote:
| And even though this website only contains his posts and
| nothing else, individual posts are minimised and have to be
| clicked on to unfold, which scrolls the entire page for me on
| mobile chrome and I have to find it again. It's a usability
| nightmare.
| fragmede wrote:
| This website is a well known infosec Mastodon host. The
| linked site is to a specific person's feed but the site local
| feed, with many other individuals' posts is at
| https://infosec.exchange/public/local
| LordDragonfang wrote:
| Top right of the content bar has an eyeball icon with "show
| more for all", which expands them all at once, but agreed,
| this isn't great UI or UX (still better than twitter though!)
| jliptzin wrote:
| I found a really bad vulnerability in a dating app once, allowed
| anyone to see all other user's exact locations...contacted the
| CEO to let him know to fix it. He acknowledged. Thought that was
| it.
|
| A few months go by, I decide to check again. Still hasn't been
| fixed, emailed again, acknowledged again. On and on and on. About
| a year went by for them to finally implement this fix which
| should take all of 10 minutes, I mean at the very least all you
| have to do is introduce some entropy into the gps coordinates of
| the user. Hopefully I am the only one that found it.
|
| It's pretty astonishing how much people just don't care even the
| C suite.
| stuff4ben wrote:
| IMO you should only give one chance for security
| vulnerabilities. If not fixed within your deadline or provided
| an explanation on why not, then it gets hacked. If you're into
| that sort of thing. Either that or blasting them on the social
| medias...
| kgeist wrote:
| Sounds familiar. In July 2022 I found a vulnerability in one of
| our systems (easy to exploit and basically allows anyone to
| authenticate as anyone, full access to LDAP accounts), I
| reported it and they made a fix which they supposedly deployed.
| The infosec department was notified everything was OK now. I
| decided to recheck it a few months later (I took it personally
| because someone could pose as me) and found out they somehow
| forgot to actually deploy it even though the original ticket
| was marked as fixed/closed. I notified the original team and
| they promised to deploy it "very soon" which didn't happen
| again. Basically every week I had to post "still not fixed" to
| their chat for a few months. Every time the project manager
| would promise it would be deployed soon but then would forget
| about it. Countless emails to the infosec department about the
| situation. It was finally deployed in January 2023, a fix which
| had been ready (coded and tested) for half a year by that time!
| Deploying it took literally 15 minutes. In fact, I could (and
| was ready to) deploy it myself because I have the required
| privileges but I was part of a different team by then and it
| felt wrong to mess with their release cycles on my own.
| t0astbread wrote:
| Should've just used the exploit to deploy using one of their
| user accounts, then thank them for the quick fix!
| mtsr wrote:
| That's what responsible disclosure is for. Having a set
| deadline before an issue becomes public at least puts some
| pressure on the company to fix it. Not out of spite, or
| anything, but because it's the only way to protect the users,
| instead of just the owners.
| pessimizer wrote:
| My reaction to this tweet was surprisingly intense. It's like the
| plot to a horror movie, or the 5 minute opening credit montage of
| a post-apocalyptic film.
| AtlasBarfed wrote:
| I'm guessing upper management prioritized the update of these
| devices with downstream management rather than overburden them
| with other stuff.
|
| So in the end, this is just one piss poor managed division
| abusing another piss poor managed division. Who gets the heat?
| Probably the lowest level people.
|
| Why "wipe" them? That seems unnecessarily punative.
|
| You can see the "don't give a shit I work with a predatory
| organization" oozing from everywhere.
|
| The security guy is trying to claim that they've sent out many
| many notices, but really this is just an excuse to abuse other
| people in a machiavellian abusive organization.
|
| "Service Desk is now aware that everyone else except them was
| aware, and now IT is absolutely incandescent." Whoops, missed an
| email and a meeting in there bucko.
|
| And it's the SECOND company where this was "implemented" or
| "specced"? This sounds like someone checked a box or compliance
| or ass-covering upper management slid this under the table, but
| all the people it ACTUALLY AFFECTS didn't get any input or
| opinion on the matter. And when push came to shove over funding
| it that person had probably moved on to bigger and better things.
|
| So since you get to do it, you seem to be gleefully doing it.
| Great job.
| tux3 wrote:
| Don't shoot the messenger.
|
| If compliance and legal say to wipe the laptops, and everyone
| with a budget was aware of it for a year, it's not reasonable
| to put the disaster on whoever was in charge of implementing
| policy.
|
| This is not a Petrov situation, you're not saving the world by
| going out of your way to be the person that will defy
| Compliance today, just because the policy is really dumb.
|
| The people locked out would be shortsighted to blame the random
| security guy. They joined a big company with a very strict
| compliance machine, not a startup where you move fast and break
| things, then ask legal for forgiveness.
|
| Big organizations are dysfunctional, news at 11. Don't blame a
| random IC for executing policy after considerable warnings. If
| communication is so thoroughly broken internally, and no one
| wants to take responsability for necessary spending, it's not
| the job of some random security guy to fix that internal
| dysfunction.
| zokier wrote:
| > Why "wipe" them? That seems unnecessarily punative.
|
| Potentially leaving company confidential material on non-
| compliant devices is not something Compliance department would
| want to allow
| Blackthorn wrote:
| What exactly are you suggesting this person does? The policy to
| wipe clearly came from the company's compliance department.
| They warned them over and over what was about to happen, and
| went above and beyond doing it with multiple meetings and phone
| calls.
| whstl wrote:
| Exactly. In this situation all you must do is warn people of
| the risks and document, document, document. Which the article
| writer seems to have done.
| iso1631 wrote:
| A gleeful feeling does come across, although the poster does
| claim it's not schadenfreude. They also mention they think
| plenty of notice was given out to various middle managers.
|
| There are better ways to handle this, when sending the messages
| out. If the deadline for compliance was 31 Jan, then when
| sending comms out say the deadline is 31 Oct, and machines
| would be wiped after that. Then start wiping them, 10% of
| machines on 1st November, another 10% on 8th November, etc.
| tux3 wrote:
| I think we can charitably call it watching a trainwreck
| unfold.
|
| There is not necessarily any Schadenfreude in watching and
| reporting it. No one _really_ needs to be taking pleasure, it
| 's just hard to not pay attention to a train crash occuring
| in slow motion.
|
| It's very natural to want to talk about something this
| stupid/bad. Rubber necking is extremely human.
| AtlasBarfed wrote:
| I agree. Not a single concern for boots on the ground that
| are likely already squeezed, and now has the apparently
| abusive compliance and security departments fucking them
| over.
|
| Now everyone in the affected chain gets a black mark on their
| "permanent records" and gets exposed at a time when likely
| layoffs are coming.
|
| What I don't hear is "why can't they upgrade, and how can we
| help them upgrade", it's WE TOLD YOU, NOW YOU SUFFER.
|
| Here's the kicker: it's 1600 devices. Ok, so they've been
| told for 13 months to do this. Well, let's do some math.
| That's 260 working days. Oh look, about 1600 working hours.
| So if you guys had simply upgraded a device an hour over the
| last year, this wouldn't have been the problem. Yes, that's
| not fair, but neither is what the person doing.
|
| Security is the military arm of compliance. Finger pointing
| at compliance is a bit mendacious. Saying LOL it's not my
| fault, it was compliance. NOW WATCH ME DROP THE HAMMER BOOM.
|
| I mean, I guess the guy is saying LOL I'm outsourced and not
| even in the company HAHAHA. Still, eff this guy for taking a
| bit of glee in this.
| iso1631 wrote:
| If I were uncharitable and cynical I would claim that it
| looks like somebody has a goal to implement central device
| procurement and management and have built a system to
| enable that to happen.
| zokier wrote:
| > Here's the kicker: it's 1600 devices. Ok, so they've been
| told for 13 months to do this
|
| That is not really how I read it; the devices got an year
| _extension_ because people had already failed to refresh
| them within the standard cycle. From the sounds of it these
| are typical workstations etc, their support cycles are very
| predictable and if you bought some crappy ones without
| predictable lifecycle that is on you too. That extension
| should have been wakeup call, the process had already
| failed then.
| jodrellblank wrote:
| Not sure if the devices are laptops or phones, so assume
| $400/device and $50/hour time, that's about a $700,000
| dollars.
|
| "If you had simply spent nearly three quarters of a million
| dollars of your own money, done 40 weeks of volunteer
| overtime on top of your normal job, without any purchase
| approval, without the authority to do that, and no
| guarantee of seeing that money back, this wouldn't have
| been a problem, so fuck you"
|
| is a terrible take all around.
|
| > " _What I don 't hear is "why can't they upgrade, and how
| can we help them upgrade"_"
|
| We know why they can't upgrade, because the departments
| responsible for purchasing the upgrades won't agree to
| spend the money. This isn't something which can be helped
| by more technical input.
|
| > " _Finger pointing at compliance is a bit mendacious_ "
|
| "mendacious: not telling the truth; lying." - nope, wrong.
| Legal and Compliance say it must be done and you must do
| it, and have the authority to do that. Pointing fingers at
| them is honest and appropriate, that is where the
| instruction is coming from (legal) and the reason why the
| instruction exists (compliance with internal or external
| regulations).
| iso1631 wrote:
| Except the tale all falls apart when the service desk had
| no idea this was going to happen
|
| Clearly the compliance team (or whoever is implementing
| it) has failed in its communication
| AtlasBarfed wrote:
| I'm not saying the guy is the second coming of Hitler. I
| mean is it his job to care? Not really. Is the absurdity
| humorous? Maybe he communicated it wrong? It's twitter.
|
| It's more that security teams tend to have uncooperative,
| aggressive, authoritatian, and punative dispositions. I
| think ye old security industry had its roots in three
| letter government agencies which are used to conformance,
| policy hammers, and enemies of the state.
|
| But when you add that to an organization already rife
| with infighting, dissatisfaction, and frustration, it
| will just lead to more resentment and your employees
| become your enemies.
|
| The biggest security threats these days aren't leet
| hackers exploiting 0days, or even the county password
| inspector conning his way in. It's overworked angry
| pissed off employees leaving the door open. It's like
| Princess Leia said: the tighter you squeeze, the more
| people you lose.
| gpderetta wrote:
| It seems to me that compliance was fully aware of what was
| going to happen and wanted to set an example. An expensive
| example, but apparently still spare change for the company, so
| it was well calibrated.
|
| Don't fuck with compliance I guess?
| ilyt wrote:
| > Why "wipe" them? That seems unnecessarily punative.
|
| There was something in the thread about the devices coming out
| of support by manufacturer, which was already extended by a
| year.
| WaitWaitWha wrote:
| As others have asked, how did it get to this point?
|
| Were the meetings, emails, phone calls had the right people in
| them? Was the escalation up the org chain? Unclear from the
| tweets.
| ivraatiems wrote:
| Fascinating to read, but couldn't the author get in trouble for
| posting like this about one of their employer's customers?
|
| Where I work, which is a much lower-stakes environment, talking
| about our customers' issues or choices in public like this is a
| huge no-no. I'd get fired if someone found me out. Especially
| since if the customer is large, and the decisions have anything
| to do with my company's revenue, it could be considered MNPI.
| xorcist wrote:
| There's actually a _whitehat_ ransomware-as-a-service?
|
| Now you're telling me!
| rejectfinite wrote:
| That's kind of what all RMMs like n-able, ninja, connectwise,
| kaseya vsa, intune is.
|
| It is a "backdoor" into corporate computers so that IT can
| install programs, reboot, install/force updates, run commands,
| wipe devices etc...
| tflinton wrote:
| I've had a situation at a previous employer where a contract lost
| its ownership due to a reorg after downsizing. The new org was
| completely unaware of the contract lapse until services were
| turned off. The existing contract lapse had also lapsed the
| vendor review requirements and finances standing and thus getting
| a new contract in place, signed and paid took compliance, legal,
| finance and IT to all get together with the C-level staff to get
| services turned back on.
|
| Longest outage i've ever seen in my life.
| RedShift1 wrote:
| How were the users informed? Did they even understand what's
| going on? If I receive an email saying my device is out of
| compliance, I'd ask, out of compliance with what? How do I check?
| How do I get in compliance?
|
| The way this is communicated to the users and what actions they
| had available to them makes all the difference here.
| jdironman wrote:
| I would also have thought there should be alerts for devices
| going out of compliance soon. I'd set that for months back to
| account for lead times and deal with it as it comes. CC finance
| / procurement on the alerts if necessary.
| jodrellblank wrote:
| Skimming the thread it appears to be middle management being
| informed, not users. The company devolved IT purchasing out to
| individual non-IT departments. Many of the purchased devices
| were past end of support life. Legal and Compliance set a hard
| cutoff when they could not be connected anymore and would not
| budge. This was known at least 12 months ago as the company
| bought extended support for some of the devices. IT told the
| department managers these devices needed updating/replacing
| over hundreds of emails and dozens of calls and meetings.
| Department managers took no action. Somehow the CTO was
| unaware.
| jaywalk wrote:
| Somewhere in the thread the author mentions that they were
| explicitly not allowed to inform users.
| ramshanker wrote:
| Ohhh the classic enterprise PROCEDURES ;)
|
| I concluded one of the last year deals in 8 months total from the
| first Mail I sent. Fortunately, 1 day before deadline (31st Dec)
| there were 4 different departments heads (each at least 2 level
| above my rank but still below C-level) involved with extended
| working hours on 30th December...... Ha ha.
|
| So when the next renewal comes up, I am gonna kick-start the
| _procedure_ 12 months in advance. :D
|
| For my mental peace.
| qup wrote:
| I think the real lesson is not to start the procedure sooner,
| it's to set the deadline earlier.
| smiley1437 wrote:
| Maybe I'm naive but shouldn't there have been an associated
| budgeted line item for this compliance requirement? Might have
| made things go smoother
| p_l wrote:
| There should have been, but according to the thread no
| department deigned to put it in their budgets, despite having a
| year-long extension.
| MichaelZuo wrote:
| "For anyone wondering why we don't just lift the compliance
| restrictions, we don't specify it. Their Compliance department
| does, and as it's a large company and the affected users are less
| than 25% of overall workforce... no exception will be made. One
| side of the org is going b-a-n-a-n-a-s and the other is taking a
| very parental "well you should have thought about that" tone.
|
| You kinda have to admire their commitment to the cause."
|
| I want to know what their org chart looks like.
| WirelessGigabit wrote:
| "For anyone wondering why we don't just lift the compliance
| restrictions, we don't specify it."
|
| What means "we don't specify it" in this sentence?
| tedunangst wrote:
| The person clicking "disable old devices" is not the person
| who decided that old devices would be disabled.
| baq wrote:
| Probably something along those lines
|
| https://images.app.goo.gl/9bRVF4EeZW4SJbqC9
| Aachen wrote:
| That link does not open for me, can someone post whatever
| that's supposed to redirect to?
| chrisandchris wrote:
| It's a picture of several org charts, each within a balloon
| by themselfes but connect together by a line. However, they
| are all pointing guns at each other.
| teknofobi wrote:
| It's the Microsoft org chart with guns pointing between
| divisions, e.g here: https://www.businessinsider.com/big-
| tech-org-charts-2011-6
| bombela wrote:
| An organization chart with three main groups. Pointing guns
| at each others.
| shoo wrote:
| see also https://goomics.net/62/
| fmajid wrote:
| This comic by Manu Cornet:
|
| https://goomics.net/62/
|
| It was linking to the Microsoft one, but I think the Oracle
| one is more relevant.
| [deleted]
| furyofantares wrote:
| At a company run like that, I doubt these 1647 employees, or
| however many are using these devices, are really doing much
| anyway.
|
| * Seems I've misunderstood; I was corrected downthread.
| rvba wrote:
| I kind of disagree. Probably 80% of users are not exactly
| employee of the month but they probably do something.
|
| 20% can probably handle some legacy stuff that requires an old
| computer. Or a migration.
|
| In addition some can be management, so they wont be making
| decisions for some time.
| furyofantares wrote:
| Perhaps I've misunderstood, but if you're warned repeatedly
| that you'll lose access to your device(s) and haven't taken
| any action, I have to think you don't find it very important.
| db48x wrote:
| That's not how it works. Your manager's boss's boss was
| warned a year ago that a dozen laptops used by people in
| his department were going to go end-of-life at the end of
| this month. Nobody warned you about it at all; you were
| just plugging away at whatever tasks were assigned to you
| by your manager. Your manager might have known about it but
| was probably only told that you would be getting a new
| laptop "soon". Someone was supposed to be taking care of
| it, but nobody really knew who, or when, etc. So when your
| laptop didn't work right this morning, you called the tech
| support department, who ironically were the only department
| who didn't know this problem was coming.
| flerchin wrote:
| I tend to think that was a misplay on the part of the
| original author. If they had notified the 1647 users that
| their machines would be wiped a month in advance, then a
| bottom up pressure to get it resolved would have
| occurred. Few folks are as invested in their daily work
| as the people who will be blocked.
| furyofantares wrote:
| Ah, yeah ok. Thanks for explaining.
| racl101 wrote:
| I hear Clock Town Day 3 music playing.
| cm2187 wrote:
| Having worked all my life in large organisations, this sounds
| very familiar. A lot of people would rather the company to go
| bust than to challenge an internal policy written by a group of
| people largely above their level of competence, and completely
| unaware and unconcerned of the implications of their policies.
|
| One of the things you realise when you get closer to management
| is that those policies shouldn't be taken too seriously if they
| contradict common sense.
| throwaway892238 wrote:
| OTOH, people who risk their career to challenge an internal
| policy written by a group of people largely above their pay
| grade and not answerable to them, at best become pariahs who
| are ignored, and at worst are fired for "not being a team
| player".
|
| Most people are only concerned with their own little corporate
| corner and doing the least effort that keeps them in paychecks.
| Trying to follow the spirit of a rule rather than the letter,
| or pushing for change to improve things overall, is _never_
| appreciated.
| cm2187 wrote:
| By middle management maybe. By senior management, what gets
| you promoted is the ability to fight back, challenge things
| that don't make sense and to get things done.
| bonestamp2 wrote:
| We call those people/policies the "Business Prevention
| Department"... In other words, they're the department that
| makes it difficult for everyone else to generate revenue.
| Sometimes they're right, but often they're too rigid to operate
| in reality and instead of protecting the company they actually
| hurt it.
| tomxor wrote:
| How is it that not a single person "in the know" (of which
| apparently there were a great many) had the sense to simply take
| this directly to the CTO, seeing as how clear middle management
| was failing a massive, critical and time sensitive task. It
| doesn't matter if you are the Janitor, it's obvious they are
| going to want to clear all the red tape out of the way as soon as
| they find out. What is it some kind of "not my problem"ism?
| Madness.
| Spivak wrote:
| From the thread it seems like the company specifically took
| procurement away from the CTO and pushed it down to the
| individual departments and so there were a whole group of
| "final desks" that needed to agree on a collective purchase but
| didn't.
| gwbas1c wrote:
| Does anyone have any context? What company is this? How did they
| get into this situation?
| CoastalCoder wrote:
| I'm curious too.
|
| I'm not sure I could tell if this was truth or fiction.
|
| The depiction is so close to IT / compliance-office revenge
| fantasies, so fiction seems _plausible_.
| GartzenDeHaes wrote:
| This sounds a lot like federal government contractor / FISMA
| compliance. I was in a similar situation with VPN remote access
| device non-compliance, but we ended up ignoring the compliance
| requirements since Important People were using the VPN.
| jabroni_salad wrote:
| That happened when XP was decommissioned. The project's due
| date was set by a congressional order. The calendar ticks
| over whether you are ready for it or not!
| EVa5I7bHFq9mnYK wrote:
| So the author sold his work ethic for Twitter likes. He knew the
| disaster will happen and haven't done enough to prevent it. I'm
| 100% sure the disaster could be prevented by taking up a phone
| and finding the people capable of solving the problem.
| ibejoeb wrote:
| This is addressed in the thread.
| tomxor wrote:
| > and haven't done enough to prevent it
|
| Nuh uh, go read the thread.
| EVa5I7bHFq9mnYK wrote:
| I have. It's all about "I've sent all the formally required
| emails. Now preparing the popcorn and going to polish that
| bombastic blog post". If he didn't find the correct person
| and correct words, he hasn't done his job.
| tedunangst wrote:
| What is their job? Their job is to turn off the devices.
| They're not in charge of new device procurement.
| Dylan16807 wrote:
| It sounds to me like they did a _lot_ more than required in
| trying to convince people this was a bad idea. But they
| also didn 't go out of the loop to find the right person.
| ruune wrote:
| 28 phone calls in 14 days too. And with everyone seemingly
| aware, another phone call probably wouldn't have helped
___________________________________________________________________
(page generated 2023-01-31 23:01 UTC)