Some kind of additional leverage and/or connections were certainly used.
The open dirty secret of infosec is that outside of authentication systems, the products and services sold do not actually work. Usability and real world functionality are not box-tick items in feature matrix comparison. It is enough that a security[tm] product does something technically correct to get a green tick in the relevant feature list row.
As a result the products are not commonly sold to their end users. They are sold to C-suite, and inflicted upon their victims. And how do C-suite choose what vendor to throw their money at? DDQ/RFx templates. I wish I was joking.
The other dirty secret of infosec is that everyone does their vendor/client/etc. vetting with bingo sheets full of meaningless, context-free questions that try to enumerate SYMPTOMS of different kinds of breach scenarios - they do not attempt to look at root causes, and they certainly do not consider threat models. These bingo sheet templates are used by everyone: vendor teams, insurers, auditors, you name it.
And now we finally get to how Wiz pulling connections intersects with the above. A fair number of the bingo sheet templates come with pre-populated dropdown choices. The choices usually include no more than 8 options, including "Other". The implication is very clear: "if you use one of these known & approved vendor products, then we are fine with it".
Wiz got their offering included in the bingo sheet templates in approximately 18 months from launching publicly. That has provided them with constant advertising from the countless infosec questionnaires thrown around the various industries and the implied checkmark of being pre-approved as a vendor of choice. Given the landscape and the general quality of competing vendors, your product needs to be merely not-shit to stand out and get traction through the various back channels.
Now, from personal exposure I can say that Wiz's product (or at least those I have been faced with) are still better[ß] than their competition. A recent security scan report from a client using Wiz had only ~85% of false positives. The average FP rate for other vendors tends to be 95% or even higher.
ß: security products must be the only segment where vast majority of results being false positives is considered both acceptable and normal. In any other field a product that routinely gets >90% of its answers wrong would be consigned to rubbish heap.
my experience as well. better product, and a very aggressive sales team which is something you missed. they were very willing to cut any deal at all, to get the sale. win-win IMO, and exactly the VC 101 playbook.
I can provide an example where cloud, despite its vastly higher unit costs, makes sense. Analytics in high finance (note: not HFT). Disclosure: my employer provides systems for that.
A fair number of our clients routinely spin up workloads that are CPU bound on hundreds-to-thousands of nodes. These workloads can be EXTREMELY spiky, with a baseload for routine background jobs needing maybe 3-4 worker nodes, but with peak uses generating demand for something like 2k nodes, saturating all cores.
These peak uses also tend to be relatively time sensitive, to the point where having to wait two extra minutes for a result has real business impact. So our systems spin up capacity as needed, and once the load subsides, terminates unused nodes. After all, new ones can be brought up at will. When the peak loads are high (& short) enough, and the baseload low enough, the elastic nature of cloud systems has merit.
I would note that these are the types of clients who will happily absorb the cross-zone networking costs to ensure they have highly available, cross-zone failover scenarios covered. (Eg. have you ever done the math on just how much a busy cross-zone Kafka cluster generates in zonal egress costs?) They will still crunch the numbers to ensure that their transient workload pools have sufficient minimum capacity to service small calculations without pre-warm delay, while only running at high(er) capacity when actually needed.
Optimising for availability of live CPU seconds can be a ... fascinating problem space.
There are absolutely plenty of spaces where this is true and cloud makes sense either because it's actually cost effective, or because the cost doesn't matter.
Most people aren't in those situations, though, but I think a lot of them think they're much closer to your scenario than the much more boring situation they're actually in.
Chinese companies have one massive advantage in aggregate: they know that from 2028 onwards they will be competing for a captive domestic market of >1.3B people. The CCP have declared as their industrial [service] policy that by the end of 2027, all Chinese companies must be using services exclusively from Chinese suppliers. The target ratio of domestic/foreign services is being ramped up year over year, so that by 2028 the base expectation is everyone to have 100% Chinese suppliers only.
From thereon, every exception must be justified to - and approved by - their respective politburo.
An obvious second-order effect is that there has been an explosion of Chinese B2B companies eager to get themselves established in the market. They know that in just a few years they can still sell their services outside China, but can expect very limited competition from non-Chinese companies. And inside the country, they have a population of ~4x of US to compete for.
That is particularly true for anything dealing with security. I evaluated both BitWarden and 1Password when we wanted to migrate away from LastPass. My recommendation was to eventually go with BW. Its open-source nature was a factor, but for a corporate use the UX factors were even more prominent.
Over a course of a month, I ran into several subtle footguns with 1P. Search included only some of the fields. Password reset/rotation flow was easy to mess up (thanks to the confusing + inconsistent "copy field" functionality) and get into a situation where the generated password that was stored in the vault was different from the one that was set: in my tests there was 50/50 chance of accidentally regenerating the password before the vault storage step after submitting the new one for a remote service.
There were a whole load of "features" that didn't make any sense. The UI for 1P was a real mess. The feeling I got from it was that their product had been captured by Product Managers[tm] desperate to justify their own existence by shipping ever more Features[tm] without considering the impact on the core functionality.
BW's UI is by no means perfect, and their entry editing flow is far from ideal. But at least most of the actual usability snags in their browser extension have a common workaround: pop the BW overlay out from the browser, into a separate window. Their open-source nature and availability of independent implementations mean that there will be alternatives, should BW go down the same features-features-and-more-antifeatures hellhole in their race to eventually appease their VC backers.
Sounds like our experience with it could not be more different.
> The UI for 1P was a real mess.
In what way? You described how you feel about the UI, but I’m curious about actual specifics.
It’s entirely possible that I’m just too accustomed to it because I’ve been using it for many years, but what you’re describing is how I felt about Bitwarden.
I can completely see choosing BW in a corporate setting for a host of other reasons. But for me personally, the priority is a tool that gets out of my way and just works.
The tool that has done that is 1P.
> Less is more.
That really depends. If less means that the password manager doesn’t get used, then less is less.
> Ofcom have strongly hinted that this is primarily aimed at services with millions of users but haven't (yet) actually clarified [...]
This has echoes of the Snooper's Charter and Apple's decision to withdraw ADP from all of UK.
It is not enough for regulators to say they won't anticipate to enforce the law against smaller operators. As long as the law is on the books, it can (and will) be applied to a suitable target regardless of their size.
I saw this this same bullshit play out in Finland. "No, you are all wrong, we will never apply this to anything outside of this narrow band" -- only to come down with the large hammer less than two years later because the target was politically inconvenient.
> The US population is aging, which means that 36% slice is going to naturally grow. What do you think should be cut, and how?
The callous, cynical and on-brand answer to that question is: "the number of elderly, in the cruellest possible fashion". You've got to balance the age pyramid somehow, right? And if that sounds obscene, you're not alone.
The depraved part is that from an inhuman, entirely utilitarian perspective there is a ruthless logic to it. For many Western societies it would be fiscally so much easier if you could just ... get rid of the over-aged population. Or at least the segment who don't have dynastic wealth to protect them from the ruin.
It seems to me the US now have a government who have no problem trying out their own variant of Logan's Run.
It’s also notable that those who used “death panels” as a scare tactic back when Obamacare was being created were perfectly fine with saying some old folks just have to be sacrificed during COVID and will be perfectly fine cutting Medicare and Medicaid if they can get away with it. And, of course, they are also ok with the private-run death panels most of us are subject to by our insurance refusing to cover necessary treatments.
Oh, we were. I am in the crowd who had been asking for generally used encryption since 1995. After all, we were already using SSH for our shell connections.
The first introduction to SSL outside of internet banking and Amazon was for many online services to use encryption only for their login (and user preferences) page. The session token was then happily sent in the clear for all subsequent page loads.
It took a while for always-on encryption to take hold, and many of the online services complained that enabling SSL for all their page loads was too expensive. Both computationally and in required hardware resources. When I wrote for an ICT magazine, I once did some easy benchmarking around the impact of public key size for connection handshakes. Back then a single 1024-bit RSA key encryption operation took 2ms. Doubling it to 2048 bits bumped that up to 8ms. (GMP operations have O(n^2) complexity in terms of keysize.)
"We" is an special group. I am technical but never thought much about it back then. There is a boiling frog. The 90s internet was used for searching and silly emails. Now it has you life in the cloud. But that didn't happen in a day.
Let's put the whole thing in context. This bill is intended to prevent foreign governments[0] demanding that companies headquartered in US[1] modify their products and introduce backdoors.
The top bullet point in the press release makes it crystal clear: "Prevent foreign governments from using the CLOUD Act to require U.S. providers to adopt specific designs for products, reduce the security of a product, or deliver malware to a customer."
It looks like the intended outcome is that if a foreign government wants to investigate a US based individual, they must go through the official, international court-to-court co-operation request channels. US courts can then grant the necessary warrants and/or compel that individual to give up the requested evidence / other material. Isn't that how things are supposed to work?
Interestingly, this bill would also collide with Australia's similar law.
> Let's say I'm Microsoft and I operate in the UK ... UK can still contact Microsoft and has to respond if they want to operate there.
If and when cross-border laws collide and conflict, it should be up to the governments to sort it out. UK are perfectly in their right to require that Microsoft provides information and data on entities who reside in the UK. Demanding Microsoft to introduce backdoors to their products or deliver malware to individuals would go far beyond that.
> * suppose that the UK wants to go their usual "lighter touch regulation" than the EU route to attract investment.*
Not just that. A speaker in a conference I attended about a month ago mentioned that UK is actively drifting away from EU's stance, particularly on the aspect of AI safety in practice.
The upcoming European AI act has "machine must not make material decisions" as its cornerstone. UK are hell-bent to get AI into government functions, to ostensibly make everything more efficient. As part of that drive, the UK is aiming to allow AI to make material decisions, without human review or recourse. In a country still in the throes of the Post Office / Horizon scandal, that really takes some nerve.
Those in charge in this country know fully well that "AI safety" will be in violent conflict with the above.
Not really sure what to say to this. It's a screenshot (from the tech-bro-in-chief no less) of a ChatGPT response, no prompt included. We are discussing a current event.
As an attempt at a response, the UK is not party to the "EU AI Act" or the "DMA/DSA", we left before they were passed as law in the EU. The UK has its own "Digital Markets Act", but it is not an EU regulation. The GDPR is an inherited EU regulation.
The AI summit was French led, to get a global consensus on what sort of AI protections should be in place it looks like. The declaration was specific to this summit.
Meta and other data mining businesses are constantly complaining about the GDPR because it limits their ability to steal personal information and they have to comply with data residency, consent and deletion regulations. They also "play dumb" and blame compliance with a regulation they want gone, or make a big deal out of compliance to turn public opinion.
When there is a difference in regulation between major economies there may be an advantage to be had, but my feeling is that the GDPR (or similar) is not the main reason European tech companies are unable to compete with the US. There is no equivalent of Silicon Valley in Europe that combines talent and investors in one place.
It's a hard problem to solve when Europe is made up of multiple countries and cultures, even if the EU has aligned some key things.
The open dirty secret of infosec is that outside of authentication systems, the products and services sold do not actually work. Usability and real world functionality are not box-tick items in feature matrix comparison. It is enough that a security[tm] product does something technically correct to get a green tick in the relevant feature list row.
As a result the products are not commonly sold to their end users. They are sold to C-suite, and inflicted upon their victims. And how do C-suite choose what vendor to throw their money at? DDQ/RFx templates. I wish I was joking.
The other dirty secret of infosec is that everyone does their vendor/client/etc. vetting with bingo sheets full of meaningless, context-free questions that try to enumerate SYMPTOMS of different kinds of breach scenarios - they do not attempt to look at root causes, and they certainly do not consider threat models. These bingo sheet templates are used by everyone: vendor teams, insurers, auditors, you name it.
And now we finally get to how Wiz pulling connections intersects with the above. A fair number of the bingo sheet templates come with pre-populated dropdown choices. The choices usually include no more than 8 options, including "Other". The implication is very clear: "if you use one of these known & approved vendor products, then we are fine with it".
Wiz got their offering included in the bingo sheet templates in approximately 18 months from launching publicly. That has provided them with constant advertising from the countless infosec questionnaires thrown around the various industries and the implied checkmark of being pre-approved as a vendor of choice. Given the landscape and the general quality of competing vendors, your product needs to be merely not-shit to stand out and get traction through the various back channels.
Now, from personal exposure I can say that Wiz's product (or at least those I have been faced with) are still better[ß] than their competition. A recent security scan report from a client using Wiz had only ~85% of false positives. The average FP rate for other vendors tends to be 95% or even higher.
ß: security products must be the only segment where vast majority of results being false positives is considered both acceptable and normal. In any other field a product that routinely gets >90% of its answers wrong would be consigned to rubbish heap.
reply