Safari on iOS/iPadOS displays a great "white page fast reload loop" when opening a website missing the intermediate certificate of an internal CA, even when that intermediate CA is installed in the device's keychain. That behavior is so weirdly specific, it's at least easy to identify the cause if you have seen it before.
Dave Wiskus, one of the co-creators of the standard.tv network behind this platform, gave some insights on the /r/CGPGrey2 subreddit [0] and on Twitter [1].
Sitting at the other side of the table (as a regular engineer in BigCorp), that was an interesting read. One thing I recognized from too many demos and product workshops (whether they are on site in our offices or remote) is this section:
> Ask lots and lots of questions. Follow the 80/20 rule: 80% of the demo content should be about your customers, and 20% should be about your solution.
Spending an hour explaining our systems, our business and our pain points to a random sales rep is usually not a good use of my time, especially if I still don't really know or understand your product yet (don't expect me to have even visited your website before the demo if I'm not the person who booked it).
They seem to avoid mentioning the version of Android they are running - the specs only say "Android".
I'd like to be exited about this, but this uncertainty combined with the fact that their security personnel is a team of dogs[1] makes it quite hard for me.
Wow. For a platform that struggles with security, listing a security team entirely composed of dogs comes across as the equivalent of "I drive better drunk!". One has to wonder whether it was intended as a joke or as a dismissal, and in both cases it evidences an alarming attitude towards a very serious problem.
EDIT: If there were humans on that team in addition to the dogs, I'd not be nearly so upset.
Well professionally I'd like a human photo. If this were a shy photo, I would hope for not a cute puppy photo, but a human animated icon. There is a bit I called professional prsentation vs being cute, but this is a startup and it's someone else's company.
Not sure there is an issue here... I think it's just a joke about 'physical security' of the premises.
Most team pages I've seen don't specifically identify people working on infosec aspects of the product. That could be an attack vector if you're really being paranoid.
That's a myth. If someone were to attack your infosec engineers physically or virtually you need to build your company from the moon because only nation states and the 1% richest would be able to afford the ride there. If someone were to do social engineering well it will be done, regardless of title. :)
No seriously I bet you this is just a blunt humor attempt. Someone thought it was cute. Those who prefer to remain hidden from camera just don't want to be seen on the Internet. I probably should go on LinkedIn and look for someone with security title working for this conpany, I might be right.
That's a myth. If someone were to attack your infosec engineers physically or virtually you need to build your company from the moon because only nation states and the 1% richest would be able to afford the ride there.
I already said it, social engineering will work regardless whether someone hides their identity. Government knows who works for who. IRS is a good source, so this is a myth that hiding photo can save someone's security. No it is a false sense of security. When I said it's a myth it's satirical
The less information available about the infosec and (more importantly) the sys admins the better.
Nation states are like any organization. They are resource and time constrained. If you set the bar high you will eliminate the low hanging fruit adversaries. Force them to put the work in... Plus if you show them you are very careful and watching everything you will force them to be extra careful, as not to tip off any surveillance, which expends more resources.
Whether or not they can actually be anonymous is not the ultimate goal. That would require a lot of work and attention to detail. But you can still do some basic stuff to make the lives of hackers hard.
That's false sense of security you and many have. It takes very little time for nation states to identify who works for XYZ company.
If what you suggested is the right practice, then why is Google Zero Project members a public thing? A lot of them are publicly known. If infosec people are vulnerable, isn't your building security guard vulnerable? We got tens of thousands of hackers attending DefCon, Blackhats, and other security events every years and shouldn't we be worried? We got some of the most respected hackers and security engineers on planets attending them. How do you think government (FBI) recruited an anonymous hacker to work for them? Aren't your network engineers not vulnerable? Let's not kid ourselves with this ridiculous and quite frankly stupid obfuscation. If people are easy to fall for social engineering, let's find a solution that address the problem. Your impression of hidhing behind the curtain is basically the sterotype of hackers in basement. History has taught us the only famous computer programmer yet to be revealed is the creator(s) of Bitcoin. We don't knod if any nation states know who created Bitcoin. Otherwise, the government has pretty good hand in finding people. Resource constraint is a joke. If government wants to hack into Verizon they would have the resource assigned.
Sorry to be harsh but this is again false sense of security. Most startups would have developers have access to production so developers are just as vulnerable as infosec folks. Then why reveal the rest of the team? That counters your argument malicious actors would have a harder time to social engineer. So let's really not pretend we are doing better without revealing infosec because that's just nonsense in practice unless you are working on a project that may have serious retialation such as defeating Wanna worm then I understand masking your identity.
> It takes very little time for nation states to identify who works for XYZ company.
If it requires a person to spend time researching non-open source intelligence avenues then I disagree.
The point is by not doing something a company can gain something. That's not a big ask for the marketing team not to mention names in any public interface.
It's easy to assume that 'nation state' surveillance means that a sophisticated person will hunt down a piece of information. But that's actually quite a resource intensive request.
Quickly finding someones name on publicly available resources and adding it to a list is on quite a different level than having a hacker/trained person hunt down a hidden piece of information that must be triangulated from other disparate pieces of information. And I say this having spent quite a bit of time doxxing people for fun myself - it's a time intensive activity regardless if it was ultimately easy to do. The less information available the much hard it is to do.
But it is a pretty much a lost argument here because (1) developers aren't shielded, (2) developers are as vulnerable to social engineering as any infosec (but probably even more vulnerable if said infosec workers are very careful). The issue is the effort is neligible in a manhunt. For non-nation state actors like you and I, sure, it takes a huge effort. But if you don't everyone, then there is very little gain from hiding only people in infosec. In my experience, a lot of developers have production access. Compliance do not care if developers have access or not, auditors only care about if approval is in place and audit report can be produced without tampering. Also, in many enterprise, infosec often don't have access to actual production, they are just managing incident response process. Therefore, it is not usual to see massive social engineering, because it only takes one victim. Even if said victim has no access to most of the data, a breach in network is already a gold mine.
Also, you probably are familiar, sites like LinkedIn can be a great source for getting list of employees, and guessing company email is usually takes some effort once the attacker figures out the naming convention of email addresses.
Anyway, partial information is just as bad as full disclosure when the unhidden secrets are just as useful as the hidden one. So we either hide everything or we don't hide anything.
Marketing person: "I think it'll be cute to add our pets to the about page!"
Employees with dogs: "Aww! It'll be so cute to add our dogs! Let's give them fun titles!"
Most people: "So cute! Look honey, they have a picture of a dog named 'Cosmo' that's their 'Head of Security'! Haha!"
Hacker News: "This is an affront to the serious nature of computer security and an insult! I am shocked that a startup would make such an attempt at 'humor' when the OS they use does not have 100% perfect security and our privacy and digital security is being threatened daily by the men in black. I will never buy this product!!!!!11"
Situation: There are 0 people and 2 dogs listed as the security department on a platform where security has long been a metaphorical joke and is now evidently a literal joke.
HN: What's the big deal?
Most people: It's a little creepy that everyone knows everything about me, and the identity theft epidemic kinda sucks. Not much I can do other than keep an eye on the accounts, chase down fraud as it happens, self-censor, and pray I don't get hit with ransomeware. I have other battles to fight, so I hope the tech industry has my 6 on this one.
The About page lists a fairly large number of engineers, some of whom who no doubt have responsibilities involving security. But Essential is not Android, and nor are they Google, so they have a much smaller subset of security concerns to deal with as a handset maker.
Moreover, their whole website is not accessible when JavaScript is blocked, leaving the impression that security-minded people are not their target audience at all - which is really a pity!
What does it matter? If a website for a new router only supported Internet Explorer, I definitely would know either I'm not their target market, or they know nothing about that market, or they don't care.
I would argue that the percentage of people who care about websites working with JavaScript disabled is so low that no hardware company considers them a target market
I wasn't saying that no JS support is hurting them. I was objecting to the notion that them being separate teams is relevant. It's perfectly reasonable to judge a product by how it is marketed.
Nitpick: YouTube was 1.5 years old (founded in February 2005, deal finalized in November 2006)[0].
I just looked that up because I really thought YouTube had been around longer before Google acquired it. That's interesting to learn, so thanks for pointing that out.
There may be additional fees for some courses, such as 100€ for "study material" for distant learning courses. Public universities may also offer some courses that require you to pay, as the FH Köln does for their Master's program for Game Development. However, the vast majority of courses don't require such fees.
Of course, there are also private universities. Their fees are roughly €400-€700/month.
Did the Macbook Pros just get a whole lot more expensive in Europe (or specifically Germany?)? I don't remember the 15" MBP with a discrete graphics card being 2800€.
Or have they adjusted their prices to the weak Euro a while back?
