Eh, the thing is I made the formal request using data deletion module, but I just assumed that's what the support person asked the development person ("team"), assuming it was not the same person for both!
loudwhisper
joined 2 years ago
Congratulations on completing this!
I have indeed moved most accounts to individual aliases. I used to use the same username and similar emails (perhaps grouped like shops@mydomain), but I got no benefit and the username allowed unnecessary correlations.
So alias + random username and I will have much much less trouble in the future. Hopefully!
You are right and what some people miss is that social engineering being the vector to gain foothold doesn't mean that it was sufficient to allow the breach. Almost always you need some other weakness (or a series of them). Except when the weaknesses are so had that you don't need a foothold at all (like this case), or when the social engineering gives you everything (rare, but you might convince you someone to give you access to data etc.).
A whole separate conversation is deserved by how effective (or not) social engineering training is. Quite a few good papers about the topic came out in the last fee years.
Social/Political problems need social/political solutions, not technical solutions.
BUT! Do a thorough quality and content check (i.e. no rape, kiddy diddling, spousal abuse, any other type of abuse, etc.)
Genuine question, why? It seems just that you want your arbitrary moral rules instead of Visa's or MasterCard's (or PayPal's).
This also takes away agency from people. In fact, I am sure that there would be a way to diagnose every single relationship ever as a form of abuse in which someone takes advantage of someone else's something.
Adults are responsible for their choices, and particularly in the case of "assholes", that is often associated with being assertive, dismissive and some people just like that kind of "I am the main character" features. Maybe there are even some deep rooted evolutionary reasons for that, I don't know. Anyway, painting anything as victim-oppressor dichotomy IMHO is nonsense.
https://www.wiley.com/en-us/Platform+Capitalism-p-9781509504862
You might be interested in this book
When they need, they'll learn.
100% agree. But. If you are a principal engineer claiming to have experience hardening the thing, you would expect that learning to have already happened. Also, I would be absolutely fine with "I never had a chance to dig into this specifically, I just know it at a high level" answer. Why coming up with bs?
Maybe those engineers were like that too.
I mean, we are talking about people whose whole career was around Kubernetes, so I don't think so?
I partially agree, but not only we are looking for experts of that thing, we are also looking for security experts, and security knowledge is very much meta-knowledge. A software developer might not care at all about - say - how the CI/CD works, because all they care is that the thing builds the code. A security expert generally has a broader scope, and their job is not functional, which means their job is exactly understanding the thing to be able to model the risks around it. So they might not care of all the tools used in that CI/CD or the exact details of the steps, but they should understand the execution flow, the way third party dependencies are pulled, verified, consumed, the authorization model etc.
There is no such thing of security professional who doesn't understand - at least from an academic point of view - the overall setup of a thing they worked with.
If I take the image attestation example I made in the post, I consider the "inner workings" to be the cryptographic details, such as ciphers and their working mechanisms, or the exact details of the way that attestation can be verified offline, or what exactly is computed and how. I am OK with someone not knowing this. But not understanding the whole flow? Well, without this what's left? Copying the 3 lines of code that do something from the Github documentation? Any software engineer can very much do that, what is your contribution as a security specialist?
…..people lie on CVs and cover letters. If your ad has buzzwords and technology X, Y, and Z
Totally agree. It is very likely, although the more people I interview, the more I think that they are not lying from their perspective. It's that people can legitimately make a career today by stitching together stuff with scotch tape, spending years by just by doing that and effectively have little to show for those years. But from their perspective, they might be experienced in that stuff, maybe?
I wouldn't say it's a large expansion of skillset, meaning it's not massive. But yes, indeed it is problematic to find people. It is because this is a vicious circle in which companies are digging their own graves by eliminating a market for those people, which in turn means that those who would want to hire some can't find them easily, leading to outsourcing instead. Do this for 15 years across the whole industry and it stops being an option, which is pretty much where we are today. That said, training and upskilling is always a possibility for companies who invest on their own employees and are playing the long game...
Well, for the relatively small sample of Kubernetes experts I interviewed, basically any topic beyond "you use this tool" was a disaster, including Kubernetes knowledge. I am not selective, it's not like I expect a specific skillset, but what would you think if someone with a decade of platform security doesn't understand cryptography and supply chain, Linux permissions, Kubernetes foundational concepts, container isolation or networking? At some point the question is legitimate, what are you expert in? The answer I have been able to give myself so far is "stitching together services that do stuff" and "recommend what the documentation/standard recommends". I consider myself satisfied to have somewhat decent knowledge in some of those areas, I am not expecting someone understanding all of that, but none of them? Maybe from someone who just joined the industry.
Thanks for the kind words!
I won't take credits for the template, I have used the one found here: https://www.datarequests.org/blog/sample-letter-gdpr-erasure-request/