Posts by froggreatest 34 publicly visible posts • joined 10 Jan 2022
Great points! Another spect of this is that those same European govs and admin are buying foreign tech. If you are a startup it is very difficult to sell to them. Startups are left with a consumer market which is fragmented, not like in US with one language and similar regulatory interface.
They just need to make shareholders happy, and the world gets fragmented so they also follow this trend. Confidential compute is already available in European datacenters and companies can use those to protect data from exfiltration into US. It is abit more expensive and complicated but it is there.
The issue is more related to organisations not having a ciso or not giving them much power or not funding any data governance efforts. Security is not a revenue generating expense, nobody gets promoted for patching dependencies. Just look at the number of places that use a vulnerable log4j dependency.
I suppose he could have left a backdoor instead, which would have allowed him remote access for the destruction and cleanup. Otherwise, the trigger based on his name in the system is rather naive, but I’m struggling to come up with other type of checks you could do to check if one was sacked from within a production box.
Most of the work inside is directly related to enforcing the advertised policies. Everyone gets red statuses these days and works on SFI.
Saying show me the evidence is valid but do you expect MS just listing all of the discovered weak points of every service and product they have?
> According to NRG, 56 percent (1,405) of executives reported that gen AI had in some way bolstered their org's security posture <…>
> <…> with 39 percent of enterprises having not yet implemented the technology in production.
Sounds like anyone who uses gen AI think it makes the company secure. Unless those percentages are for different groups of people.
I like the man and he inspires me. My life chooces and the move towards improving the wand skills is partially influenced by him.
However I want to stress that nothing will change because majority does not care about the quality of software or its security when buying it. The incentives effectivy reward building features on top if each other. Nobody needs an engineer/developer that understands how packets traverse networks how memory works or how cryptography aids in authentication. Everyone just needs a React dev who can put a button in their UI or a dev who can add another API endpoint, or the one who can render responses from openai in the view.
Microsoft started prioritising security internally and dealing with the technical debt after recent failures. But if tgere will be no failures in 6 months who says this practice will be maintained? The same applies to other companies. The future is bleak.
You need to be able to monitor if your phishing awareness training is effective. In my megacorp we do mandatory training and we also get phishing emails. The training says “if you get X then report it in Y” so the regular phishing campaigns gives a measure of a variety of things. You see how many people reported, ignored and clicked after taking up training.
I do not know what happens to people who click the links though.
Multiple attempts have been made in the central gov already. But stop and think how many failures we had, most recent GDS and Verify, both good solutions IMO. There is no need to design anything in the gov at all, there are plenty off the shelf solutions that can be bought. The issues in the procurement process exist although there is a central digital marketplace.
Gov should sit down and draft standards to implement, then suppliers could develop against those without the fear of anticipating more logo/colour changes in the sales process.
There are a couple of reasons why generalised solutions do not get to the market (I was developing software for LAs before):
- Sales process is lengthy (months to years) for each LA meaning you need a bunch of salespeople
- By the time you scale to 10 LAs the legislation has a good chance of changing and your solution goes out the window
- There are not that many LAs so there is a hard growth cap for your product, repurposong for other markets is very difficult
- Councils like customisations and it is difficult to write software so that a lot can be changed. Think colours, branding, wording, Welsh might be necessary, one-off integrations with proprietary systems
- Folks working in councils “sometimes” do not understand their own processes well
- Integration usually needs to work without the involvement of their IT due to various issues like resource constraints and a difficult attitude to trying to solve issues
> “… and people have very high expectations," he told an audience of investors
I think what he was saying that people want a good product and not just some semi finished crap bolted on openai’s api’s.
Also, the claim it saves 10 hrs a week is baseless. I’m using these various tools daily and their effectiveness is marginal, akin to being introduced to a typeahead in the search.
There is potential for sure, discounting all of the hype, but it will be acieved by some other company capable of building better products.
Oh yes, it goes very slow and you need people on the ground to constantly persuade the folks and move the whole thing forward. Nothing can be done fast and there is a risk that some new legislation render everything useless. But once it is in place you get your 5 year contracts and the stable revenue stream and you can be proud of doing something useful.
I would not be that harsh towards salaried people though, the responsibilities are quite high and they could always earn more in the industry. The fact that they can get those “IT” people is interesting though. Aside from that I found IT departments in public orgs terrible anyway, they are probably understaffed and constrained by contracts but still …
The arguments are weak indeed. Google is losing big time in this race and they are mad. I suspect MS wants to have an alternative model selection in their products to show they allow customers to choose, which is a good thing. Google’s problem is that they do not care about their enterprise customers so those shun them, MS on the other hand promises gold and wine and more.
Yes MS is leading their customers to the Azure quicksand but the same applies to all public clouds. Azure is not great IMO, there are better alternatives like Huggingface to choose and run the models.
Regardless if it is InteeliJ or some other IDE like VSCode this is nothing new. The ML was there for quite some time helping us with autocomplete and other little bits that make your typing work 1% easier. The big problem I find with the current wave of these integrations is that they do not work well with simple stuff like writing a dot after some variable and then waiting to get a list of public methods but instead getting a suggestion to write 77 lines of unrelated code.
The correctness argument is spot on. The suggestions require you to spend more time auditing, which is OK if you were writing it, but younger folks just trust it blindly.
The tools are useful for sure but this is like fiddling with “advanced options” in the application settings. One has to be very precise in their wording to get what they need. I know only a handful of people who are pedantic with text they write.
Another thing is that it requires a behaviour change which is extremely hard. Talking to the bot in the chat and asking it to fix the mistakes in its output adds a bunch of friction. All the time you need to tell it to be brief and concise to avoid generating a bunch of text that then needs to be read.
And the deal breaker are the safety features that prevent it from telling you how to do a petrol bmb or to tell an edgy joke, or how to write malware. Because why not?
It is very difficult to understand what methods were used in the attack to gain such wide access. But more mitigations could have been applied long before. Nonetheless part of the problem is that telcos are not the ones offering a top dollar for the engineering talent, not to mention that a country is at war and rely on their internal capacity. Security is not just an expense anymore and more pros should be present in such companies.
I do have the experience and it is a bit more complicated. There are multiple reasons and one of them is that the incentives are aligned to favour new features and new products. Also, if a paying customer complains then mountains will be moved. Otherwise the amount of work you need to do and various checkboxes one needs to tick to fix some minor issue and roll it out globally is quite painful. “Bad people” exist but these days it is hard to slip something stupid into production due to many changes that happened in the past decade. To summarise it is a bit hard to iterate on a product in the big tech without substantial investment of energy, hence nobody fixes that annoying bug like a dropping bluetooth connection in Teams.
I have thought npm integrated with Google’s SLSA, but nothing came out of it? No added security? Also, the version pinning issue seems ridiculous, npm supports it and there is a way to lock specific versions for each dependency, the slippery details of this misfortune need to be cleared.
Smells of cowboy stuff, I hope the lawsuits will trigger others to be “a bit” more careful.
Spot on, everything circles around the choice of a license. If you use MIT and then get angry at Amazon for commercialising on it then look into the mirror.
It is a bit harsh though because a lot of folks were brainwashed into believing the companies will either help you or pay you or make you famous or offer you the job, but it is imperative you use MIT or similar. It is all to make it easier to share code and make innovation faster.
It shows a lack of understanding about licensing and forward thinking. I do not blame anyone as this sort of stuff is not being taught everywhere.
Bean counters are unaware of the failures per se. This is all to do with the management who green-light the fact that it is fine to have a few people. I believe one of the lessons here is that there should be a minimum of x people per some y size datacenter.
> and often more effective
This only works if you have one main office and all employees work there. In my case I need to wait for the folks to wake up in the States and call them. No walking in the office will help. This applies to any subsequently large or distributed company globally. The proper documentation, recordings, online meetings, collaboration on docs is the answer.
I was in a similar situation. My wife told she hates the place and needs to move back, 3h away from the office. I decided to commute and just rent a spot like you. With time I spent less and less time in the office because it would become evident this was just a waste of my time (we used to speak little and chat to each other to keep the history and to share with externals). The watercooler moments were non existent. Eventually I ended up 100% from home. The boss also did that and subsequently got rid of the office.
Then Covid, change of jobs and I am still remote. We (at home) had some challenges though as it was not clear where to buy the property but we remained far from the capital in the end. The biggest issue for me now is that I could not even afford to do what I did before. But maybe I’ll never need that because the work shifted and. currently team consists of people who are distributed among multiple time zones. Going back to the office would be a joke as I would be alone amongst strangers.
A couple of days ago I wanted to write something with this new language. Unfortunately, you must ask for permission, and even then you can try it in an online notebook environment only.
If a developer cannot run it locally it’s a bit far away from adoption I guess.
As for the use cases I thought it might be a great fir for Robot OS or small devices like RPI, but I cannot test it to verify my assumptions at the moment.
If this materialises into something that triggers IETF efforts like SCITT then it is great - without standards we’ll be lost; if it forces more due diligence for software vendors (regular qa and pen tests where the results are visible to the purchaser) it is also great - managers will be forced to factor that into the price instead of “thinking” it will be ok.
Otherwise the software prices will skyrocket as nobody will want to claim responsibility for the bugs in OSS packages (although most of the product is made of those). OSS licensing already contains statements “use at your own risk”. The other option would be to build inhouse components but yeah it would be extremely expensive and bug ridden.
Also, if I (engineer) was asked to become responsible and face possible jail term the I’d just quit and do my gardening. Some of the bugs are not just a simple mistake in a line of code but rather a collection of code changes made by all seasoned and junior engs and managers; or rather prototypes that became products :)
I’m gonna get my indemnity insurance before the price goes up.
Workday job application “portals” are quite terrible. Every time I applied it was necessary to fill in all of my details along with the job experience. The futuristic “import my cv” would always trip over in some places and I would need to fix the mistakes. Now if there is AI somewhere, I can only imagine how great it is.
This chap had to deal with such crazy user experience for 80-100 times.
This is a monumental integration job. You’d need to speak with every rep from each org to change even the smallest thing. Each change would take ages to do because departments have folks who are either too busy or too new to the job which makes it extremely hard to do even the simplest stuff. Then there are some exceptions in the system as usual, which is time consuming to implement.
I’ve been there, the projects take ages to agree upon (time=money) then you get the purchase order and something completely unexpected comes up from one of the users… You could easily burn through a mill a year and fail to deliver because multiple reasons beyond your control.
In the past year I’ve invested a lot of time to try and break into the top big tech companies. I’ve done multiple interviews and failed many many times. Not to mention automated reject responses after the time spent tailoring the CV and writing a damn cover letter, forget the cover letter - an essay about how I’m “naturally” fit to work in a particular company. Also, I’m now regularly doing those algorithmic type tests on Leetcode to be sure I can find an optimal algorithm for a given problem in a couple of seconds. I hate it so much but there is some silver lining to it, I got to know my preferred language more, which is not possible at work (the irony). I was forced to read and learn about the challenges in large system designs which is again not possible at work. Most importantly I realised that it became much harder to get a job despite the years of experience - we are competing with a new generation, in a global pool of talent for a limited amount of highly paid jobs. Another weird thing is that all big companies want to do like >5 interviews and this takes a monumental amount of time. Wish me luck I’m doing 3 interviews this week.
The numbers are scary but a bit misleading. In a naive js project (most of Github) you would automatically build it upon every commit or a PR which in turn does “npm install”. Now, PRs are automated these days through the use of various bots and could be opened/closed on a regular basis without the intervention of the programmer (more downloads). This does not mean that the software downloaded from NPM is deployed to a server, lambda, or becomes part of the website js code.
OMG how much open source we use at work (Fortune 100) and nobody has even the time to talk about it, let alone pay for it, or even dedicate some time to contribute. All we do is just glue it all together. If I had a company card I would definitely pay and support the maintainers but it is not how big companies operate. Also, nobody really cares because there is no accountability, I’m not going to push my manager tomorrow to pay some random developer I think needs support, I want to be promoted at the end of the day.
On the other hand why the hell developers use those permissive MIT licenses and then sob when their code is monetised without leaving them any coins? Is there no license which would say it is free but only if your turnover is less than $250mil? Surely you want to retain some copyright power in these situations. Or maybe consider using a copyleft license to make sure future generations will have access to this code?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
