redfox

joined 9 months ago
[–] redfox@infosec.pub 9 points 1 month ago (2 children)

Won't someone please think of the investors...!

[–] redfox@infosec.pub 43 points 1 month ago (12 children)

I'm just glad they're still distracted with torrents...

[–] redfox@infosec.pub 6 points 1 month ago (1 children)

rawdawg some torrents

LOL! Did you spray 1's and 0's in their face when you were done?

[–] redfox@infosec.pub 1 points 1 month ago (1 children)

Good comments.

Do you think there's still a lot of traditional or legacy thinking in IT departments?

Containers aren't new, neither is the idea of infrastructure as code, but the ability to redeploy a major application stack or even significant chunks of the enterprise with automation and the restoration of data is newer.

[–] redfox@infosec.pub 3 points 1 month ago

Lol, even in 2024 with free VPN/overlay solutions...they just won't stop public Internet exposure of control plane things...

[–] redfox@infosec.pub 5 points 1 month ago (1 children)

Blank check

Funny how that seems to often be the case. They need to see the consequences, not just be warned. An 'I told you so' moment...

[–] redfox@infosec.pub 2 points 1 month ago

Agreed.

Dont we all use centralized management because there is cost and risk involved when we don't.

More management complexity, missed systems, etc.

So we're balancing risk vs operational costs.

Makes sense to swap out virtual for container solutions or automation solutions for discussion.

[–] redfox@infosec.pub 2 points 1 month ago

Yeah, that's pretty risky for this point in time.

I guess the MBA people look at total cost of revenue/reputation loss for things like ransomware recovery, restoration of backups vs the cost of making their IT systems resilient?

Personally, I don't think so (in many cases) or they'd spend more money on planning/resilience.

[–] redfox@infosec.pub 7 points 1 month ago (3 children)

Seems like your org has taken resilience and response planning seriously. I like it.

22
submitted 1 month ago* (last edited 1 month ago) by redfox@infosec.pub to c/technology@lemmy.world
 

After reading this article, I had a few dissenting thoughts, maybe someone will provide their perspective?

The article suggests not running critical workloads virtually based on a failure scenario of the hosting environment (such as ransomware on hypervisor).

That does allow using the 'all your eggs in one basket' phrase, so I agree that running at least one instance of a service physically could be justified, but threat actors will be trying to time execution of attacks against both if possible. Adding complexity works both ways here.

I don't really agree with the comments about not patching however. The premise that the physical workload or instance would be patched or updated more than the virtual one seems unrelated. A hesitance to patch systems is more about up time vs downtime vs breaking vs risk in my opinion.

Is your organization running critical workloads virtual like anything else, combination physical and virtual, or combination of all previous plus cloud solutions (off prem)?

[–] redfox@infosec.pub 21 points 2 months ago* (last edited 2 months ago)

contract "options" are indeed normal. You could also lump in government contracts into the category your thinking about. I've never heard of a scenario where the vendor broke contract by not honoring the options. I also have never dealt with a vendor getting bought out and then not honoring existing contracts. Super fun to watch the corporate drama. I personally don't care for the private equity style business that seems to be an even bigger problem than the investor first/profit centric model that I thought was the worst thing.

[–] redfox@infosec.pub 1 points 6 months ago

My mid life birthday gift was an electric zero turn mower. Already had all electric yard tools. Will buy Tesla or best option in couple years. Never going to a gas station again!

So indeed, fuck gas

[–] redfox@infosec.pub 1 points 6 months ago

Office culture nuances... I enjoy them.

 

Indiana's legislature is getting involved in higher education. Your world view will likely inform whether you think that's good or bad. I can't think of many instances where it's good.

Edit: This post isn't an endorsement of the measure, there are more opposition articles below.

I'll include quotes from the posted article, and include a couple of other related opposition articles.

Indeed, from what I’ve seen, not a single professor or administrator who testified on this bill admitted a lack of ideological diversity in higher education. That is troubling and, at best, reveals an unhealthy institutional blind spot. There are other perspectives.

Today, American public universities are among the least ideologically diverse institutions in the world. Indiana is no exception. I am certain there is more ideological diversity in a typical infantry platoon than would be found at any public university.

Let me be clear by what I mean about ideology. I teach Karl Marx to first year students. That isn’t indoctrination. Likewise, a biology professor should ignore public opinion on evolution or photosynthesis. Our research and teaching should pursue and reflect truth, no matter the distress it causes. I am not referring to party affiliation or support for a particular candidate. By ideological imbalance, I mean there is an artificial closed-mindedness that stifles debate, isolates important perspectives and diminishes the richness of a college education.

One clear example comes from a Ball State University colleague who attended a brainstorming session on how to convince more faculty to live near the university. He suggested that highlighting the many high quality local schools would help attract new faculty. Most normal folks view this as self-evident. Yet, this professor was scolded by a senior university administrator, who said the university would not discuss that because “concern about school quality is white privilege.”

Opposition articles:

https://www.indystar.com/story/news/2024/02/26/senate-bill-202-receives-pushback-public-universities-indiana-purdue-ball-state-general-assembly/72743950007/

“If you’re saying that you want to be able to fire faculty for not promoting intellectual diversity, it’s basically giving a gag order to them to say: ‘Don’t upset students. Don't challenge them, or we might have to fire you,'” Erickson said.

While Purdue has not yet made a formal statement, their faculty-led Senate released a statement claiming the bill poses a near-existential threat to faculty tenure, making retaining and recruiting faculty harder and potentially eroding academic freedom.

Ball State's University Faculty Council chimed in as well in a statement condemning the bill and rejecting "the provisions in SB 202 which grant the Board of Trustees oversight of intellectual diversity on campus."

https://www.indystar.com/story/news/politics/2024/02/29/indiana-senate-bill-202-universities-purdue-deery-tenure-expression-holcomb/72780178007/

House Democrats for the last several weeks have railed on the bill in the chamber's education committee and on the House floor arguing against the premise that Indiana universities need the free expression requirements.

Historical and contemporary examples of such purposefully diminished intellectual spaces abound: from Communist Party-controlled university curriculum in China, to routine dismissals of free-thinking faculty in Islamist-controlled universities in Iran, to countless suspensions, intimidations, and even forced migrations of academics at the behest of political strongmen in Russia, Turkey, Hungary, to countless other similar or worse cases across the globe.

Discussion comments:

First, it's very well known that no one likes American republicans, there's likely no need for party bashing/name calling since there's already tons of posts for that. Please keep party related comments in context on specific educational legislation trends if possible. One of the articles mentions US conservative students though, so it's still relevant.

  • Have you ever attended an educational institution that you felt scolded for expressing an ideological view? Examples: Political, economic, religious, etc? What were those views and how were they received?

  • Have you attended an educational institution where the course curriculum was heavily influenced by political ideology? What was it? What is the context of your region/locality's views and how did it align or differ from what you were being taught?

  • "Our research and teaching should pursue and reflect truth, no matter the distress it causes." Do you have any examples of teachings like this you received? Was it to your benefit or not?

  • Did you ever experience a professor in your higher education track teach heavily political view points, even in a class that was not related to politics (like Biology)? What about one's you identify with? Progressive, Liberal, Conservative?

“concern about school quality is white privilege.”

  • Do you believe that mentioning good schools in a community to attract talent is 'white privilege'?

  • Does that mean areas with good schools are for whites, and areas with bad schools are for underprivileged? Is this racial, or socioeconomic?

  • From your higher education experience, what institutional issues did you experience related to this article? Did you experience legislature interference? Did you experience faculty's personal views being reflected in your teaching? Did you get affirmation or rebuking of your original world view before education. Did you feel enlightened or have your original views changed after being exposed to broader viewpoints?

Edit:

  • Would good educators in your area be fired for expressing dissenting view points based on the composition of your legislative bodies?

  • Do you believe there are more progressive, liberal, or conservative educators?

  • Do you believe there should be a mix of all viewpoints?

  • Do you believe research topics should be a mix of views, if the research crosses from scientific into political/ideology realms?

 

This article outlines an opinion that organizations either tried skills based hiring and reverted to degree required hiring because it was warranted, or they didn't adapt their process in spite of executive vision.

Since this article is non industry specific, what are your observations or opinions of the technology sector? What about the general business sector?

Should first world employees of businesses be required to obtain degrees if they reasonably expect a business related job?

Do college experiences and academic rigor reveal higher achieving employees?

Is undergraduate education a minimum standard for a more enlightened society? Or a way to hold separation between classes of people and status?

Is a masters degree the new way to differentiate yourself where the undergrad degree was before?

Edit: multiple typos, I guess that's proof that I should have done more college 😄

 

This is interesting.

Firstly, I love that states inherently have the power to set their own laws. This allowed Oregon to be a great large scale experiment for drug policy.

I saw some interesting quotes:

But estimates from the U.S. Centers for Disease Control and Prevention show, among the states reporting data, Oregon had the highest increase in synthetic opioid overdose fatalities when comparing 2019 and the 12-month period ending June 30, a 13-fold surge from 84 deaths to more than 1,100.

Despite public perception, the law has made some progress by directing $265 million dollars of cannabis tax revenue toward standing up the state's new addiction treatment infrastructure.

I guess since only cannabis is sold, it's the only taxable substance in the mix.

Some lawmakers have suggested focusing on criminalizing public drug use rather than possession. Alex Kreit, assistant professor of law at Northern Kentucky University and director of its Center on Addiction Law and Policy, said such an approach could help curb visible drug use on city streets but wouldn't address what's largely seen as the root cause: homelessness.

Homelessness leads to drug use? Or drug use leads to homelessness? Couldn't it be either?

In the first year after the law took effect in February 2021, only 1% of people who received citations for possession sought help via the hotline, state auditors found.

Critics of the law say this doesn't create an incentive to seek treatment.

Thoughts:

  • Maybe just start with cannabis and see how that goes? Or do we really need to progress collectively to heroine, meth, cocaine, MDMA?

  • Is the major public health crisis the use of more illicit drugs, or overdoses? Is possible that recreational use of cocaine/MDMA/others wouldn't be as big of a crisis as meth and fentanyl?

  • Should heroine be legal for use?

  • Should MDMA be legal for use?

  • Should cocaine be legal for use?

( I am not advocating for or against use of these substances with this post. Posted for discussion/interest. Questions are posed for discussion. )

 

On July 25, 2023, the states of Missouri, Arkansas, and Iowa, along with intervenors American Water Works Association and National Rural Water Association, petitioned the Eighth Circuit to review the EPA’s new rule. This rule requires states to review and report cybersecurity threats to their public water systems (PWS).

The states’ brief argues that the EPA’s Cybersecurity Rule unlawfully imposes new legal requirements on states and PWSs. It also contends that the rule exceeds the EPA’s statutory authority by ignoring congressional actions that limit cybersecurity requirements to large PWSs and by changing the criteria for sanitary surveys through a memorandum

And then there a bunch of PLCs at water utilities compromised:

https://www.politico.com/news/2023/11/28/federal-government-investigating-multiple-hacks-of-us-water-utilities-00128977

https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems

https://apnews.com/article/water-utilities-hackers-cybersecurity-1c475f5d2ef3b5d52410c93bdeab3aad

https://www.bleepingcomputer.com/news/security/hackers-breach-us-water-facility-via-exposed-unitronics-plcs/

So many more...

Now, I can understand arguments about jurisdictions, but would the exact same requirements coming from CISA instead of the EMP have been OK, or where these places just whining about any kind of oversight? At the end of the day, they look a little foolish.

 

This episode of Security Now covered Google's plan to deprecate third party cookies and the reaction from advertising organizations and websites.

The articles and the opinions of the show hosts are that it may have negative or unintended consequences as rather than relying on Google's proposed ad selection scheme being run on the client side (hiding information from the advertiser), instead they are demanding first party information from the sites regarding their user's identification.

The article predicts that rather than privacy increasing, a majority of websites may demand user registration so they can collect personal details and force user consent to provide that data to advertisers.

What's your opinion of website advertising, privacy, and data collection?

  • Would you refuse to visit websites that force registration even if the account is free?
  • What's all the fuss about, you don't care?
  • Is advertising a necessary evil in fair trade for content?
  • Would this limit your visiting of websites to only a narrow few you are willing to trade personal details for?
  • Is this a bad thing for the internet experience as whole, or just another progression of technology?
  • Is this no different from using any other technology platform that's free (If it's free, you're the product)?
  • Should website owners just accept a lower revenue model and adapt their business, rather than seeking higher / unfair revenues from privacy invasive practices of the past?
view more: next ›