# I am the Watcher. I am your guide through this vast new twtiverse.
#
# Usage:
# https://watcher.sour.is/api/plain/users View list of users and latest twt date.
# https://watcher.sour.is/api/plain/twt View all twts.
# https://watcher.sour.is/api/plain/mentions?uri=:uri View all mentions for uri.
# https://watcher.sour.is/api/plain/conv/:hash View all twts for a conversation subject.
#
# Options:
# uri Filter to show a specific users twts.
# offset Start index for quey.
# limit Count of items to return (going back in time).
#
# twt range = 1 30
# self = https://watcher.sour.is/conv/ajpwnxa
@abucci What really irks me really is why anyone would ever trust a 3rd-party company/service at all with sensitive data (or really any data for that matter, but especially credentials) -- not only is it impossibly hard to "secure", but what incentives do they have to keep it secure from prying eyes in the first place? (even from themselves) π€¦ββοΈ
@abucci What really irks me really is why anyone would ever trust a 3rd-party company/service at all with sensitive data (or really any data for that matter, but especially credentials) -- not only is it impossibly hard to "secure", but what incentives do they have to keep it secure from prying eyes in the first place? (even from themselves) π€¦ββοΈ
@abucci What really irks me really is why anyone would ever trust a 3rd-party company/service at all with sensitive data (or really any data for that matter, but especially credentials) -- not only is it impossibly hard to "secure", but what incentives do they have to keep it secure from prying eyes in the first place? (even from themselves) π€¦ββοΈ
@abucci What really irks me really is why anyone would ever trust a 3rd-party company/service at all with sensitive data (or really any data for that matter, but especially credentials) -- not only is it impossibly hard to "secure", but what incentives do they have to keep it secure from prying eyes in the first place? (even from themselves) π€¦ββοΈ
@prologic Have you ever been involved in "security" processes like SOC 2? I was at a company once that got a SOC 2 report, and I was involved in that process for a bit so I read up on it. Most of these cloud services brag somewhere or other that they have SOC 2 certification or some related thing. Anyway, what blew me away about the entire thing was that *it wasn't about security at all*. It was about *processes approved by management*.
In other words, it didn't matter exactly which password policies your company had (for example), as long as you wrote that policy down and had someone in management sign it. Really. A "security audit" was then almost entirely about checking whether all the documents have been signed, who signed which documents, and whether those people are still with the company and still have the authority to sign such documents.
It's as if they all believe that as long as management signs documents, technical problems magically disappear. Your literal physical computers could implement no password policies at all, but as long as you managed to convince people to sign documents that said they did, then you'd get whatever SOC certification you wanted and pass whatever audit people wanted. None of these "security" people actually sat down at a computer and said "OK, now show me this password policy working in the following cases: ...." which is what you or I or any technical person who cared about security would probably do right?
@abucci ISO 27001 is basically the same. It means that there is management sign off for a process to improve security is in place. Not that the system is secure. And ITIL is that managment signs off that problems and incidents should have processes defined.
Though its a good mess of words you can throw around while saying "management supports this so X needs to get done"
@abucci ISO 27001 is basically the same. It means that there is management sign off for a process to improve security is in place. Not that the system is secure. And ITIL is that managment signs off that problems and incidents should have processes defined.
Though its a good mess of words you can throw around while saying "management supports this so X needs to get done"
@prologic H'm, missed that CircleCI news... Welcome to 2023; much like any year this millennium, in many ways. ;)
@xuu yeah, I know less about ISO27k (in part because you have to pay for access to the complete standards documents!!!), but I figured it was similar.
@abucci Yeah I have actually, it's total bullshit. It's not security at all, in fact if you look carefully you'll notice that those same companies usually use the words "we're SOC 2 compliant". It's all about "compliance" and those fucking "checkboxes" π€¦ββοΈ compliance != security, policies/processes == (can) mean shitβ’
@abucci Yeah I have actually, it's total bullshit. It's not security at all, in fact if you look carefully you'll notice that those same companies usually use the words "we're SOC 2 compliant". It's all about "compliance" and those fucking "checkboxes" π€¦ββοΈ compliance != security, policies/processes == (can) mean shitβ’
@abucci Yeah I have actually, it's total bullshit. It's not security at all, in fact if you look carefully you'll notice that those same companies usually use the words "we're SOC 2 compliant". It's all about "compliance" and those fucking "checkboxes" π€¦ββοΈ compliance != security, policies/processes == (can) mean shitβ’
@abucci Yeah I have actually, it's total bullshit. It's not security at all, in fact if you look carefully you'll notice that those same companies usually use the words "we're SOC 2 compliant". It's all about "compliance" and those fucking "checkboxes" π€¦ββοΈ compliance != security, policies/processes == (can) mean shitβ’
@jlj Yeah welcome haha π€£ Mate our industry (IT) is a complete hoke π
@jlj Yeah welcome haha π€£ Mate our industry (IT) is a complete hoke π
@jlj Yeah welcome haha π€£ Mate our industry (IT) is a complete hoke π
@jlj Yeah welcome haha π€£ Mate our industry (IT) is a complete hoke π
@prologic There's a way of thinking about this that *might* make some kind of sense. Like, if the management people who signed the documents went to prison when their companies had giant data breaches or whatever, then *maybe* the magical thinking "compliance process -> technical process -> actual security" *might* have some justification? But as it stands, there are data breaches left and right and as far as I can see none of the people who signed off on the security policies/compliance documents/what have you have not faced accountability like that. In fact, quite the opposite; many can claim they are exactly following the processes laid out in the SOC 2 process, *even though* their processes led to giant data breaches! It can function to indemnify the worst actors in the whole situation.
@abucci And as we both know, the processes (_most of them?_) are either old and outdated or suck completely. Something you learn in undergrad from a good professor (_hopefully_) is:
> Security is not an afterthought.
> Security is built in.
@abucci And as we both know, the processes (_most of them?_) are either old and outdated or suck completely. Something you learn in undergrad from a good professor (_hopefully_) is:
> Security is not an afterthought.
> Security is built in.
@abucci And as we both know, the processes (_most of them?_) are either old and outdated or suck completely. Something you learn in undergrad from a good professor (_hopefully_) is:
> Security is not an afterthought.
> Security is built in.
@abucci And as we both know, the processes (_most of them?_) are either old and outdated or suck completely. Something you learn in undergrad from a good professor (_hopefully_) is:
> Security is not an afterthought.
> Security is built in.