Everyone has a relative that after 30 years still doesn't know how to use the airco controls?
I read somewhere it all follows some sort of gaussian/normal distribution, like in 11 peole there might be 1 knowledgeable, 2 interested, 5 pretending to listen, 2 bored, 1 sneaking out. Sometimes it's you or me who sneaks out.
Centrally managed? Like are these devices enrolled into some centralized management system, and so is the question whether that system also manages the OS root cert store? (And would have been followed up with whether it blocks TLS traffic that it's unable to intercept?) Or is it maybe whether the vendor's applications deployed to these devices use that or carry their own?
But then I read on, and PKI and HTTPS comes up. Is centrally managed then referring to PKI being a centralized trust system, and so is the question really "are you using CA issued domain certs"? Why the contrived phrasing then?
And then there's a mention of an internal domain name. Internal as in private? Sounds a bit suspect that the guys who don't know what a certificate is would have a private DNS with a private CA to boot, but it sure would be centralized alright.
I think it's inquisitive that the first common point reached was HTTPS: yes/no? -> yes. But then even that was seemingly a bit too new info: in the portrayed discussion it is first also asked whether HTTP is in picture. This makes me question, just what did the author even know about these devices when they prompted their centrally managed certificates question.
Maybe a better question at that stage would have been, "So, how do these devices communicate, and what to?", letting them explain it in their own terms first?
But it's possible to install a certificate of your own in which case the answer is probably “no” because when it expires you're going to have to to every one of those machines and install the replacement.
Or imagine an embedded computer that doesn't even have an OS. Then the certificate store just has whatever the developer put into it when they built the image. Again the answer is “no”. If you're lucky you can still rebuild the image and reflash the devices even though the engineer who did the work was fired as a cost–cutting measure. If you're not lucky then that VP’s cost–cutting has actually added a lot of cost.
Well, you should blame the developer if they don't know the basics of computer science (TLS handshake being the basics)
For example when working with Apple's Network.Framework, I have to drop to C and use functions like "sec_protocol_options_add_tls_application_protocol". Maybe the new beta framework is better.
Or if I want to get a certificate hash on the command line in a usable format, I'd have to run "openssl x509 -in server.crt -noout -fingerprint -sha256 | sed 's/://g' | cut -d= -f2"
Networking and security is still a dark art and it shouldn't be.
A developer can slap a @RestController annotation on a Java class and magically have an HTTPS endpoint without knowing anything about TLS handshakes or certificate chains.
Which is why AI seemingly replacing junior engineers, because AI does the same thing, faster and cheaper...
Meanwhile, I as an engineer, see less and less appreciation and importance in my organization about "knowing" these stuff.
Eeeehhhh… gatekeeping is, IMO, not quite the right term.
On the one hand, gatekeeping is restricting access until conditions are met, regardless of how spurious and irrational those conditions are. And usually, despite some pretty insane conditions. Questioning the fundamental competency of someone who ought to know even just a little better is challenging why they aren’t already possessing access, not preventing access in the first place.
On the other hand, most people in the IT industry love to talk about all the little shinies they are obsessed about. So while they may not be the best teachers in the first place, tickle their passionate shinies hard enough and they will talk your ear clean off, down the hallway, drop it through the lift and have it staggering bloody and beaten onto the sidewalk outside before you can get a word in edgewise. So getting people in IT to be advocates for the work subjects they are passionate about is not the problem - it’s training them how to deliver that information effectively to someone not in the know and not initially passionate about it.
On the gripping hand, there are plenty of people in almost every industry for whom ”How do you NOT know about this core component of your job??” is a very valid criticism to lob with great enthusiasm at them. A verbal shock like this can be very useful for disturbing a person out of their complacency, especially if they already see themselves as an SME. The real trick is following that statement up with something that can truly inspire and encourage them to willingly reach for competency in that component.
ninetyninenine•5mo ago
Like I can see functional programming and physics but security just feels arbitrary.
zem•5mo ago
ninetyninenine•5mo ago
The axioms of functional programming and physics are not arbitrary conventions. They are fundamental to reality.
zem•5mo ago
ninetyninenine•5mo ago
Usually concepts that are arbitrary I wouldn't call "principles" because they aren't principles. Just convenient rules to follow. A principle is much deeper.
dtj1123•5mo ago
ninetyninenine•5mo ago
IT Security is an arbitrary methodology derived from fundamental principles, but it doesn't change the fact that it's arbitrary.
I can make up dozens of ways to make something "secure" that doesn't follow convention. Why isn't he using biometric data like saliva DNA testing to verify identity? And why are they using a channel that anyone can peek at? Send the signals and credentials over a blinking laser light and therefore we know if the laser is disrupted we have someone trying to peek at the encrypted signal.
See what I'm saying, I can arbitrarily come up with dozens of ways to make things not only just as secure, but MORE secure. IT security is mostly memorization of convention. These conventions are derived from fundamentals, they are not principles themselves. There are thousands of orthogonal methodologies to achieve the same level of secureness but the set we use for IT are just an arbitrary selection out of an infinite amount of possibilities.
torium•5mo ago
This guy specialized in security and so he thinks that the concepts that he learned underlying everything, and everything else is just application.
But he's making the same mistake as everyone else. Everybody has gaps in their knowledge, it's just that he chooses to talk down to people who have their in their knowledge in _his_ area of expertise. Physicists do this a lot (I should know: I trained as a physicist so I know a lot of physicists). "Physics is really everything, everything else could be deducted from physics in principle, so no point spending time thinking about it". He carried this attitude into the next area of expertise he learned.
I'm with the project manager. "How does the gorb fleem the leemaflop?" Don't know, don't care, you do your job and I do mine. Time is finite and I'd rather spend my time on things I find intellectually stimulating, not IT security. The irony is, if everybody could reliably answer those questions, he wouldn't have a job. I find the lack of understanding quite disgusting frankly.
ninetyninenine•5mo ago