We used to have these questions about "What are the advantages and disadvantages of X?"
I used to think I was outsmarting "the system" by only learning a few key facts about X and then twisting them around to get advantages and disadvantages, but little did I know that was the whole point of the course — to see the same thing from different perspectives and realize there are both advantages and disadvantages to X.
> Long-lived production SSH keys may be copied around, hardcoded into configuration files, and potentially forgotten about until there is an incident. If you replace long-lived SSH keys with a pattern like EC2 instance connect, SSH keys become temporary credentials that require a recent authentication and authorization check.
Something I don't understand is the absolute phobia of service accounts. There are things that need to happen regardless of who is doing it. Emails need to get sent every day with reports, for example.
Forcing these workflows into the nonsense security theater of "we can't have service accounts" is stupid and unproductive. So every time we fire or lay off the person whose name is on the automation, we need to rotate the keys? What is the benefit here?
If you are screaming "managed identity" here, I have a bridge to sell you because clearly even Microsoft has not been able to figure out or implement managed identities for internal workloads... Well not as of 2022, at least.
Service accounts are great! I just wish instead of having a password which gets shared around via 1password, there were a clear permission list ("this is a service account.. "real" users X, Y, X can login as it")
Seems like it's just Microsoft that cannot figure it out. AWS had roles forever, fully supported from web console or CLI. But when I request Azure service account, I am handed username and password.
To be clear: This is not my position! I advocate for service accounts in my post:
> It is much harder to reason about, say, the security of an arbitrary Engineer's laptop than it is an EC2 instance that exists exclusively to tell KMS to sign something.
> So every time we fire or lay off the person whose name is on the automation, we need to rotate the keys?
If a person previously had access to the key and knowledge of the key gives you control over that automated workflow, is that key (and by extension that workflow) still worth trusting?
Totally, but my service accounts own the api keys. But keys are still annoying to rotate. You know what’s not annoying to rotate? Short-lived tokens with very limited scope that get assigned more on demand
And to go one step further, for achieving a profile-per-firefox-window workflow, I suggest to have a look at the underrated extension Sticky Window Containers [0]
While far from being perfect, I find it good enough for keeping things separated, especially when using a desktop/workspace workflow. For example, in workspace/desktop 2 I have a Firefox window opened with the first tab set to "container A", so hitting ctrl-t there opens new tabs with the same container "A", so I'm logged-in for all projects A. In another Firefox window in workspace 3 I work with "business project B" tabs (where I'm logged into different atlassian, github, cloud, gmail, ...)
Then with a Window Manager like i3wm or Sway I set keybinds to jump directly to the window (and workspace), using the mark feature [1]
It's also possible to open websites directly in specific containers so it's flexible. For example on my desktop 8 I have all my AI webchats in "wherever my company pay for it" tabs: `firefox --new-window 'ext+container:name=loggedInPersonnal&url=https://chat.mistral.ai' 'ext+container:name=loggedInBusinessA&url=https://chatgpt.com' 'ext+container:name=loggedInBusinessB&url=https://gemini.google.com' 'ext+container:name=loggedInBusinessB&url=https://claude.ai'`
It's also the only way I found to keep opened multiple chat apps (Teams, Slack, Discord, ...). The alternative electron apps are as resource-hungry, and in my experience never handled multiple accounts well (especially Teams).
I don't bother submitting to reddit. I would say if you want to post anything substantial, as in something with multiple posts, to reddit, it should be on your own subreddit. Only allow posts and comments by approved users though.
> This is spot on. My dad was a professor and had dozens of PhDs. The only thing differentiating them (as I remember him telling me) was the resolve to keep work as /tiny/ as possible. Who is remember for his/her PhD? Only the smallest cream of the crop. He even made good fun of worthless thesis by (then) well known professors. It’s not about your PhD.
My professor once told me he presented at a small conference, the whole audience everybody had PhD in mathematics and maybe 2 of the 50 or so people in the audience could follow along. The point he was trying to make is at some point the people in the audience were not really interested in what was being presented because it is difficult to just follow along some really niche topic.
There was a book I read a couple years back called "Mathematica: A Secret World of Intuition and Curiosity", by David Bessis.
He discussed this topic and how generally it's left to those who are more notable in a field to ask the 'dumb' questions everyone else is afraid to ask. And such questions often need to be asked to get the audience on board and open the floodgates with areas of niche research - the speaker themself is often too far into the rabbit hole to discern the difference between opaque and obvious.
So it stands to reason, at smaller conferences this would be a big problem, with fewer thought leaders in attendance whose reputations are intact enough that they wouldn't mind looking foolish.
I never understood this problem. I am positive this is a solved problem in cars. I mean within reasonable timelines — ten years or so — the pipes and the radiator should not leak at all. Especially for something that stays in one place, if we have figured out how to not make it leak for something that travels at 70 miles an hour.
Maybe there should be a maximum betting limit the same way there should be an election contribution limit — let's say something like 10x the federal minimum wage or whatever so if you are betting under USD 75.5, it is A ok but once you cross this number, we require public disclosures, no hiding behind LLC, natural persons only, KYC, the whole shebang.
Actually, now that I think about it, let's get rid of the minimum, there should be no minimum, all bets even five cents must be fully disclosed and attributed to natural persons, no hiding behind "corporations are people, my friend" nonsense.
You will have to be way more specific. Every time I see a post bringing up the topic of sideloading (like this one), it is a complaint that either another product is locked down or Google itself is trying to lock everything down.
Look at the flippant dismissal in these threads (follow the discussions - don't just scroll past the parent comments). There's a shocking amount of disagreement:
Here's a few of the worst-aged comments, from a glance:
Absolutely no need to wail and rant about Apple and their App Store practices constantly. Just use Android.
You don't hear about 14 million iPhones being infected by malware
But this is the argument with the cookie banners again, isn't it?
There's a reason Louis Rossman constantly berates his audience for having the attitude of "You fucking moron, you should've gotten [insert thing here]." He calls it elitism because it's not about commiserating and working to find a solution, it's about putting yourself above someone else for having made the "correct" decision on which multi-billion dollar corporation's fishhooks you decided to drag your skin over.
I don't trust Microsoft's status page. It might be "fine" over all but it definitely is not fine for me.
reply