What’s doing the verification of the email on the server side? How does this service associate the email with the account? Specifically, what could be put in the email header or body by the MUA that is equivalent to a single use auth token?
Thanks for this. I recently left an otherwise awesome job mostly because of OKRs. I am still trying to articulate why.
I'm going to correct you, because it's relevant. Mehta says, "but only if it is actually accretive to the strategy." I think the accretive is important here, because one of my observations on how we were doing it wrong was that there were no stated goals for security against the company as a whole. This made it seem like each teams' OKRs were a chaotic free-for-all. Intuitively, the goals for security as a whole should be based on the overall needs of the company, divided up across the appropriate teams. These teams will have the tribal knowledge to write the best roadmap, determine who will own the workflow that the project generates on completion and generally know how to scope each task.
Going to listen to the podcast now. Maybe I will have more to say after. Cheers.
And there it is, the one thing I can never have an honest conversation about. The rules are different for ugly people, based on my personal experience as one data point. We're the last lot that everyone can discriminate against, or abuse, and get away with it.
Heartbreaking to be discriminated against as a result of largely immutable characteristics but there are other groups abused with impunity as well. For example, unintelligent people who are not obviously disabled. Or people with speech defects that are not readily considered disabilities. Even people with acne, rosacea, or eczema -- which is a medical issue and protected to some extent.
Discriminating by age isn't always unreasonable. It's useful to have different generational perspectives in many areas. For example, I think it's a serious issue that the average age of public servants in Congress is so advanced.
The older generations are responsible for training and passing the torch onto the younger generations. The older generation can't keep clinging onto power until they die off.
Congress is full of corrupt people, it has nothing to do with age discrimination. You won't get an old person ever joining the party, all the people who you are talking about built their political power by being corrupt for all their lives.
,, The older generations are responsible for training and passing the torch onto the younger generations.''
That's not how the world works anymore. But of course experienced people are payed well to manage unexperienced.
I'll bite. We're coming up on our 24th anniversary. I will likely regret this, but this is what I have learned.
1. Misery is a function of expectations management. As is said, every relationship is different. Expectations could range everywhere from
"You are an adult and this is your house, too. Clean up after yourself like an adult who owns a house."
to what is common in our house,
"Housework gets done when it gets done. Fortunately we live in an area that doesn't have roaches."
It is notable that the author does little more than speculate on his wife's expectations. After that many disagreements, not fully understanding the other person's expectations is a big red flag. We can argue all day long as to whose responsibility the understanding is; that is also a big red flag.
2. It's not about the work you do, it's about the work you make. This one is a big deal to me, since I grew up in a family that expected me to clean up after them. All the laundry, dishes, yard and additional housework was my job starting when I was 10. And no matter how well or poorly I did, chances were high that I was going to get hit for something. Note that the author does not provide any of this context. His wife very well may have been looking forward to spending the rest of her life with a partner who was an adult who didn't leave crap laying around, knowing that it would somehow magically reappear clean in its designated storage location. Or she could just be uptight.
3. No relationship of any kind is fire and forget. It is a daily commitment to a complicated matrix of rules and accommodations, all of which has a cost. If a person does the cost/benefit analysis of doing this work and decides it's not worth it, hurt feelings and financial implications aside, it's not worth it. This is not only true of marriages, it's also the case for friendships, family, employers and coworkers. We're making hundreds of these calculations every day. It's a thing we do to feel safe. When the benefit does not outweigh the cost, you don't feel safe. That's bad for everyone's health.
4. It takes 5 positive experiences of someone to reconcile one negative one. I think I read another comment that was adjacent to this. I see this as sort of an economy of deposits and withdrawals, and that's not a particularly original analogy. At the end of the day, we are social animals; both small and large gestures of allegiance foster an environment of safety and comfort. Our lizard brain needs these things.
5. Capuchin monkeys prefer grapes. Fairness is a reflex. It is not rational and does not respond to logic. Though I can respect, "I might want to use it again."
This is terrific, and resonates strongly. Pretty much only thing I'd perhaps slightly modify is that 5 to 1 deal; why this may not resonate with others is that you can come into it with a high or low threshold for this sort of thing based on lots of factors -- how you grew up yourself and certain social pressures may make you more sensitive to (or resilient to?) certain types of negativity. Point is, YMMV on that ratio.
(but yeah, I do live where there's roaches, and it's definitely "do literally just enough so that there's no roaches" here ) :)
I may not be caffeinated enough to participate in these threads articulately, but this question made me realize something that hadn't quite clicked before. As I have experienced it, the existing (waterfall?) model for deploying new features and bug fixes in large organizations requires going through QA and security review, where (hopefully) the on site security team has some sort of checklist or guideline for doing whatever analyses they do. But as they move over to agile, continuous integration/delivery, is there still time to deploy a complete staging build and wait? We have been working with small companies for ~2 years now and I haven't rigged up something to test code in at least a year. Mostly I just stare at it until I've figured out if I can exploit it.
This is where large companies might trip and fall, if they expect their existing security analysts/teams to do this (or, as you say, if they try to offload it onto developers or ops people, even ones who are more interested in security). I don't like how this sounds, what I am about to type, but the majority of security people -- particularly the ones at the level where they are hired to run QA-type audits -- do not know how to review code. It really does make me uncomfortable to say this, but if that's the rock, the hard place is how many times I've had to tell someone they really need to learn to code if they want to "work in security."
So when you say, "good security people," what you mean is people who can read and write code, and also have enough experience to know when that code can be used in a way that the original author did not intend to. It's almost as if there's a misconception that being able to read and write code is what you do if you're a dev or devops. This mindset is odd to me in so many ways. It's like saying, "I don't need to know how to use a screwdriver or a hammer because I'm not a carpenter." Even better, someone who understands what it feels like to be under some pressure to roll out changes where there might not have been a lot of time to consider malicious behavior. Someone who has your back.
Just yesterday or the day before, I had this inexplicable crisis where I was concerned about the value I am providing. It's gone now. Thanks!
Yes, a lot of companies are definitely missing good application security personnel. Many companies don't even have a real infosec department or team at all; many have an infosec department but no dedicated appsec team or process; many have appsec people but to them "application security" means a team of 2-3 people who run IBM AppScan once per week and basically just attach a computer-generated report of findings to an email sent to a distribution list with almost no other input. Often without even reviewing the code flagged by the tool or eliminating false positives from the results, let alone performing manual self-driven code reviews.
For others, their appsec team(s) is/are constantly building security libraries, frameworks, and tooling, and scanning code for security issues with software and manual review on a daily basis.
Information security is still just a checkbox for a lot of companies. This is gradually changing with more and more breaches in the news every few days and executives who are finally starting to appreciate that the consequences of a breach can be very bad, but it's still pretty common. I really don't think many companies have solid appsec teams that are doing the things you and I would hope they would do, and I agree that probably a scarily high percentage of "application security analysts/engineers" do not and cannot review code effectively.
You are absolutely right that knowing how to write and read code are crucial skills for many aspects of infosec and that a lot of people neglect that, and it's disheartening that there are many companies who don't really have people like that on their security teams - even companies that claim to have an appsec program. But application security is also only one aspect of a solid information security program, and some other aspects do not necessarily require development knowledge beyond the basics.
From what I know and have experienced to a small extent, FAANG (and others in/near that tier) invest a ton into application security and really are doing it right, at least. (Or are at least doing it way better than 99% of other companies out there.)
My money is on there being a direct correlation between companies who did early adoption of internet technologies as crucial to business and 'doing it right' versus those other companies who view IT and security as a 'cost centers.'
Absolutely. I recently moved from a company that viewed IT and information security as cost centers to one that views them as core business components, and the culture (and competence) difference is very refreshing.
If this is a way to treat depression, maybe dialing back the crap way we treat each other is preventative. I've been angry for a long time that I have to take medication because most of my life was full of people who seemed to get some sort of perverse pleasure out of making me feel bad for things I cannot control (like being female, nearsighted and unattractive). Somehow it's not possible to simply disagree with someone else and state your contrary opinion, but rather to escalate quickly to aggression and personal attacks. Somehow it's not possible that we can organize ourselves so that a greater number of people can have their physiological needs met, much less feel safe and heaven forbid we should feel love/belonging or have a modicum of self-esteem because how would advertisers ever sell anybody anything? And along comes the internet where anyone is entitled to say anything from a distance and not have to look into the eyes of the human being they're taking a scrap of dignity from.
Particularly family and close friends. I really don't give a damn what one-time acquaintances and Internet handles say, but when people who should know you better don't, that can be severely damaging. Ultimately I think depression is really chronic existential crisis along with alienation, and while I don't preclude treatment with drugs (as there could be associated physiological aspects that can be corrected and normalised), ultimately one has to 'find' the meaning and joy that can get you out of the rut oneself. But its not easy.
Chronic existential crisis can be accidental too. I'm barely out ot a clinical critical one and it was the sum very long time factors that just exploded at the same time in ways that were near impossible for me to predict.
Anyway, drug can be very helpful (coming from someone who refrained to use them) to smooth the bad peaks. It's impossible to fight that.. kinda like a bleeding. Then you can work on other aspects. Also depression has some absurd side, because as long as your brain is tilted nothing works, the day it starts to balance again, for no special reason, you'll start to have mental energy and pleasure you forgot you could have.
...I have to take medication because...of people who seemed to get some sort of perverse pleasure out of making me feel bad...
In my head I boiled your comment down to that, and it hit pretty hard. I have had people encourage me to take anti-depressants because of my reaction to the way they're treating me.
I think this is 100% spot on correct. Life is damn hard and cruel without our help as it is. We don't need to add to it, and yet we do. Thank you for posting this.
Being able to have a conversation with someone of differing opinion, and keeping it a conversation and not an assault, is immensely valuable for both parties.
>And along comes the internet where anyone is entitled to say anything from a distance and not have to look into the eyes of the human being they're taking a scrap of dignity from.
That's the wonderful thing about the Internet; it's not real life! Personally, I think it's a hoot, but you have to sublimate the pain with humor. :D
But the internet is real life. It isn't some alternate reality. Your actions online effect real people offline, and they also reflect you. I think a lot of people forget that.
Don't get me wrong, insulting people in any medium is fun, but it's less fun in real life because
- you're limited to insulting only those in physical proximity, and the logistics of traveling around and repeating insults for greater insult coverage are a hassle,
- your insults are easily traced to your identity, opening the possibility of social or legal consequences,
- and, unlike the Internet, physical harm is an option in real life, which is a very bad consequence!
That's why, for assholes or political dissidents alike, the Internet is so wonderful!
That crosses into personal attack. Please don't do this, regardless of how someone's comment lands with you; it breaks the site guidelines and eventually gets you banned.
Any measure like a PIP is an attempt to reinforce a political/power structure. Where "mismatched expectations" indicate that it is not clear whether the behavior of the employee or the manager -- specifically, whichever manager has some part in that employee's success within the organization -- is the larger contributor to the failure to meet expectations. Most organizations are notorious for a systemic inability to distinguish one from the other, defaulting to laying the onus on the employee. So "working like hell" ends up as "effort expended in the wrong place." On the part of both parties. An "honest PIP" would be one where the intention is perceived as good, even though the need for a formal process is the result of some other weakness or failure where the net result is a less robust relationship, overall.
Oxytocin levels also increase. That would be the first one I'd test for -- if there was a correlation between oxytocin levels and extent of grey matter loss.
I had to do exactly these surgeries on rats for a few years as a lab tech.
Also did some other fun things such as mass killings of rats using mini-guillotines, harvesting bones and doing amateur brain surgeries while other rats watched restlessly and anxiously peeped from the smell of blood.
This kind of stuff can mess with your sanity. For me it was a converse of how serial killers injure animals when they were children.
Most likely they grab a box of 2-3 rats, take it to a procedure room, and perform surgeries on all the rats in sequence. It's a bit on the lazy end, since you could always do a surgery on one rat, take it back to the housing room, and get the next one. Some labs do not permit animals to observe another's surgery or euthanasia. The rules are more lax for Mus musculus and Rattus rattus, than for other mammalian species, in the US.
They probably don't have much choice for where they did it. The animals likely couldn't see it, and the stress levels were probably minimal. It's not likely to be enough to harm the experiment.
While, yes, everything can be a variable, the effect wouldn't be big. I imagine the person running the lab had done this before and has gotten good results: rats are expensive and a hassle to keep. If his experiments had been 'screwed over' because of practices like that, his PI probably wouldn't be able to gather enough useful data to afford funding for animal use.
