I have seen this phenomenon especially at a couple of FAANGs over the past couple of years. Things are getting locked down so much, and so many special permissions are required that now people ask for permissions to systems or procedures preemptively. Because by the time they know if they will need it or not, it's too late.
And no one in the security business seems to consider the overall burden of yet another step. Each of which is simple in by itself, but cumulatively they are a giant hassle, and so people look for workarounds.
> And no one in the security business seems to consider the overall burden of yet another step. Each of which is simple in by itself, but cumulatively they are a giant hassle, and so people look for workarounds.
This is a tale as old as time.
At a prior gig, IT took away touch ID for ... $reasons. ~40% of the engineering team was already big into mechanical keyboards so it only took one person to "just FYI, VIA allows you to program macros". Is it _as bad_ as password on a sticky note? Not quite but I can't imagine that touch ID was _more_ of a threat.
You know what's funny is that, at least by default, these strings have some information in them that tells you the serial number and model of the key, among other things.
Curious, why remove Touch ID? Been moving everything into it seems like a really good mix of convenience + security (especially if the alternative is copying your key into AI :) )
I call this sort of thing a self-DoS. If the system is unusable enough, it's indistinguishable from a DoS attack. This sort of sabotage isn't restricted to the security team, anything that makes the system unreliable enough from bad design through bad performance can have the same effects as an external attack.
>> Things are getting locked down so much, and so many special permissions are required that now people ask for permissions to systems or procedures preemptively.
Currently dealing with this at our current company. People were clamoring for access to various LLM's. They were slow to adopt and since we're a huge MS client, we were granted limited licenses for copilot. Then more people made waves about getting access and they slow walked a ton of licenses until a small portion finally had access.
Then came all the other non-MS apps that people wanted to plug copilot into (such as Figma) and that was another round of frustrations with users here as they locked stuff down, then slowly relented.
The company is still struggling with giving access to AI tools and LLM's since now the company is really lagging behind many other companies who are just running wide open with AI.
We're 100% dealing with what you're saying. EIS has been making people jump through so many hoops that every time they add an LLM, its completely locked down to just the enterprise network and people are getting really frustrated since so many of us are already well along using AI at home and elsewhere. Yet here our day-to-day stuff using AI is an act of congress to get access to the LLM and tools.
> And no one in the security business seems to consider the overall burden of yet another step. Each of which is simple in by itself, but cumulatively they are a giant hassle, and so people look for workarounds.
This is certainly not true. I personally consider how much friction things introduce for users, things like normalizing having to reenter your password too much making phishing easier, and so on. It's well understood that you will get shadow IT, which is worse, if you make doing things the right way too difficult. I regularly advocate for streamlining processes and procedures, introducing more user-friendly systems, hosting office hours where the security team is available for any question or concern you have making us more available to the company, etc.
What's the issue? Well, for one, there's a ton of incompetent people in the field, so they'll just do whatever to make themselves look like they're working. Two, most security departments are criminally understaffed, so even if you have competent people they just have to put things together quickly and can't clean it up. Three, there's tons of idiotic regulatory and legal requirements that take forever to modernize. And finally, half of security is playing politics and arguing with the rest of the company, meaning that half the time the solutions you get are a slop of compromise with which nobody is happy.
TL;DR we aren't psychopaths without empathy, we struggle for the same reasons you developers have tech debt and other things that suck even though you would prefer not to.
Almost instantly, compared to my experience working for a big health care provider... I waited 6 moths for IT department to allow me install development tools on work laptop.
And while security rules created enormous roadblocks for work, whey also left enough holes to be exploited. Before getting required permissions, I managed to create dual boot with linux and share files between 'approved' and 'illegal' systems
All of these techniques are entirely routine for the average company with even a semi decent accountant, and only marginally increase the chance of an audit.
You do have to be sure you follow the rules and avoid various gotchas that other people in this section have pointed out, but otherwise it is entirely legal and routine.
No kidding. It's pretty normal for a high-growth company to not turn a profit for years because they keep on taking on expenses to try to grow quickly, and this is explicitly allowed now for R&D.
Actively involved owners live off of a salary paid by the company.
It wasn't performant, and it didn't scale. I was in a Notes shop in the mid-nineties and it was dog slow for practically everything in a perhaps fifty person company.
He also has no shareholders except himself. So the only person he has to please is himself, and if he is wrong, the only person who suffers is himself (and, I suppose, his family).
This very direct, very personal connection to the web business doesn't exist in most other sites.
He also has no ambitions towards being a billionaire, he just wants to make enough money to sustain a mostly upper middle class lifestyle and keep his business going.
I think a lot of online publications could be modestly sized businesses with a very respectable annual revenue range in the tens of millions or even hundreds of millions, but they erode their own brand value chasing tantalizingly higher numbers that SEEM in reach but actually aren’t.
Do they ever actually analyze the situation? In my experience they just ignore any issues and hit "approve" and on you go. I could have done that myself.
It's a classic false-positive problem. Most times when the self-checkout clerk has to give you attention, the problem is stupidly innocuous, so they blindly approve, as they have been trained by the system that it isn't a real problem.
Although the Rand corporation did contribute some ideas theoretically connected to nuclear survivability (packet switching in particular). All that work was pre-ARPAnet and don’t really motivate the design in that way.
It was designed to handle partial breaks and disconnections though. Wikipedia quotes Charles Herzfeld, ARPA Director at the time as below. And has much ore discussion as to why this belief is false. https://en.wikipedia.org/wiki/ARPANET
====
The ARPANET was not started to create a Command and Control System that would survive a nuclear attack, as many now claim. To build such a system was, clearly, a major military need, but it was not ARPA's mission to do this; in fact, we would have been severely criticized had we tried. Rather, the ARPANET came out of our frustration that there were only a limited number of large, powerful research computers in the country, and that many research investigators, who should have access to them, were geographically separated from them.[113]
You should probably read the filing. First, these aren’t options, it is straight up stock and it does vest.
Second, even if they were options, they definitely vest, otherwise Pichai would never gain control to be able to use them as collateral for a loan.
What you might be thinking is that they never get exercised, which is when the person uses the option to actually buy the share. But even that isn’t as straightforward as you seem to be making it out to be. The money to actually pay the interest on those loans and that is usually done by selling stock acquired this way. And then that income is almost certainly subject to AMT as well as other special taxes in California.
reply