Posts by gggeek 5 publicly visible posts • joined 3 Nov 2020
@arkeo I used to do the same as you. After living for a few years in the UK, I started preferring to default to british english everywhere. Lo and behold, I found out that the british locale has settings closer to italian taste than the US one for almost everything.You do not need to fall into the trap of letting "US english" become the defacto universal choice only because that's where a lot of software houses are headquartered...
Funny, but my impression of Slack is quite opposite.
When we started adopting it at $company (software development biz), there was a lot of pushback from the more diehard open source fans, ready to scarifice themselves on the altar of pidgin and other house-managed, libre solutions.
After a couple of months, 99% of the employees had voluntarily switched, and the sysadmins were ordered at gunpoint to shut down the irc server.
No software is perfect, but I personally found the Slack interface to be extremely well done and functional, and the app to be remarkably bug free. Yes, the desktop app is built on Electron, and it is a resource hog, but it is probably the best Electron app I have seen so far.
Sure, the interface has grown fatter over time, being currently cluttered with too many options and functions, but that's basically evolution of every software ever.
For some of my colleagues, the strong selling point were instead the myriad of integrations available.
MS basically store their lunch with a product which is vastly inferior, because of their monopoly position.
Teams interface is an unholy mess, trying too hard to be at the same time email / videoconferencing / calendar / filesharing / project management and failing at all of them.
Don't even get me started on how borked Ms idea of SSO is for anyone working as a conusltant and having to connect Teams to multiple customer's ADs...
Re: Not every company is staffed by cowboys.
I agree.
I also worked in airport IT for quite a while (security was a complete joke there), and as contractor for banks for a shorter while (and indeed they took security much more seriously).
There's no hard proof yet but it seems rather probable that SolarWinds did not operate with the level of infosec paranoia that is common in the banking sector.
The problem with supply chain attacks is that your security is only as good as the one of your weakest provider, and everybody has a million providers. And providers' providers.
Sure, software companies raking in billions should know and do better than coding cowboys, but experience tells me that habits and mentality are hard to change. If anything, it is harder to improve existing practice than it is to start from scratch with the good mindset.
PS: one of my favorite anecdotes in security is when I was called in to consult for a company producing both mil and civilian aircraft. Their security setup was impressive: no way anyone external was allowed to enter the premises unescorted, and I could not even move from the devs room to the restroom without someone looking over me. But... at midday... the cantine being off premise... the company just opened the gates for two hours and anyone plus their dog was allowed to get in and out, as doing id checks would have impeded the employees from getting their lunch in a timely fashion!
Exposing the CI/Build/Dev systems to the internet only with 2FA and/or VPN is miles beyond the security practices that I've seen implemented at most companies I have been involved with...
I'm speaking about the web dev industry, which might have (hopefully) different practices than other businesses, but what I have often seen, even in recent times, is rather:
- Jenkins/Jira/Stash/Confluence & friends seldom updated to the latest release, even when they have known security bugs
- shared passwords used for all these tools. Worst case scenario is that they are wide open without auth to anyone with intranet access
- auth tokens to customers' systems written down in plaintext in source code, build scripts, developers wikis
- domain credentials for all company employees handed out pre-generated from sysadmins and never rotated
- no offboarding procedures set up, or plain disattended, with hundreds of ex employees and ex customers accounts still active everywhere
- vpn enforced for connecting to the intranet, and assuming that everything on the intranet is secure (because devs run linux laptops instead of windows, ha!)
- etc etc
Luckily these companies do not have tens of thousand of high-value customers, and are thus below the radar of serious supply-chain hacking attempts, but they are ripe for abuse not by nation-state actors, just by joe random script kid.
The reason for all these bad practices are all the usual, with the addition that developers cost a lot of money, so one does not want to have them sitting idle while the CI server is down for an update, or because they are waiting to be communicated a new auth token. Sure, tools like Vault exist, but they are not easy to implement and manage.
Now, think about your average company: how many providers is it employing to implement its websites, cms, intranet, erp, hr, etc... softwares? Plus the external consultants of course! How many of those do practice good security? And how many of them have access to the company's servers and network?
Re: "zero marks for planning and foresight" - talk is cheap; implementing a Disaster Recovery plan is not.
I maintain two dozen or more open source projects.
All of them were started or inherited as part of my employee duties, but currently I am self-employed. While my previous employers were happy enough with the dissemination of their IP in open source - mostly to gain street cred useful to recruit the brighter young devs, I guess - they were much less inclined to pay for any CI/CD tooling and hosting.
Over time all the projects have been all migrated from Sourceforge, self-hosted svn, etc... to Github. Hard to resist a service that is free, well-known and loved by the oss community and has best-in-class features and ease of use.
What would happen if tomorrow Github goes titsup, or deletes my account for whatever reason? I surely do have backups of every project's source code, but it still would take time to upload them to a new hosting. Plus I would loose a lot of non-code project data such as open issues, web pages, lists of contributors.
The situation with Travis is not dissimilar: when it started it has a unique offer. Now it is not unique any more, and probably not free for long.
Will I be able to move to Giithub Actions? Surely yes. Am I looking forward to that with trepidation? Not really :-)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
