Basically it depends on the people implementing compliance. If they care, compliance and security are aligned. You can use most compliance tools to make life of your SoC easier. Like you wrote before - you can decide on dev teams' priorities, you can learn about practices in other places etc.
But also you can do the absolute minimum to pass an audit and fight with people who discover actual issues outside the approved process.
@wolf480pl@domi@lanodan Sorry for thread necromancy, but I think this is the core of the good/bad distinction.
Your goal is to fix any security issues. For most large companies the goal is not to be liable for security issues in their product/service (usually through standards compliance). Those are two different goals that can be in direct conflict.
CVEs enable a quick scan to improve security, but also they give people a way to do the performative CVE Scan to check a compliance box.
@rysiek Please clearly mark it as sarcasm, since I've had a chat with some Americans and even the left leaning ones seem to be unsure about his Nazi* salute.
*)For people who argue it could have been a Fascist salute instead: It's not the different economy theories regarding distribution of wealth stolen from the murdered minorities that people have issue with. It's the murdering that we consider wrong.
@Avitus CloudFlare doesn't mention any guarantees of anonymity of the audience.
Someone made a decision to use their services with all the implications of using it. So either nobody at Signal cares about exposing endpoint IPs (which I believe to be the actual stance - but like @rysiek said let's see if they respond) or they care and didn't check it when using CFlare as a dependency.
Either way it's the integrator's responsibility to check if the chosen components fit the purpose.
What actually interests me is the response (or lack of it) from Signal. Seems like not much has changed over there in the last decade. Despite big words and hacker con keynotes they just want to be the new Facebook messenger.
Also there's an easier attack to get your exact egress IP address. It's good to be aware that just having Signal on your phone can reveal it (assuming notifications are enabled).
So #FreeOurFeeds wants us to give 4M USD to already rich Americans some of whom already ran Mozilla into the ground, others pumping the AI bubble to
*double checks notes*
build an independent centralized instance of a social network apparently not designed for more instances (unless I underappreciated how rich all of the fedi developers and instance admins are). And this second centralized instance is supposed to improve decentralization of social media?
@jwildeboer Congratulations to Germany on finally arriving here a decade later. It's good they did, It's sad it took so long. Even sadder others didn't arrive yet.
Regarding the coal: it does and it makes me sad that Poland keeps using almost half as much brown coal as the biggest polluter in EU. The move to renewables is slow and there's not enough investment in the grid infrastructure to handle individual producers. I wish both PL and DE did more in that area.
@jwildeboer Is the information about Germany blocking the 14th sanction package for more than a week (which among other things was supposed to block LNG imports from Russia across EU) untrue? Am I misinformed?
@jwildeboer Because Russia closed the valve to Germany? Let's not give German government credit for something they were forced to accept.
Moving off the limited LNG coming in through channels other than the pipeline was just a logical next step after the pre-winter "oops a pipeline turbine is broken and we can't fix it with all those sanctions" blackmail.
@domi@wolf480pl@lanodan One of the big consulting firms used to have (maybe still has) a rule auditing tool which screams when it sees "Allow ICMP Port:Any" in cloud configs, where the port field means ICMP message type.
It's completely fine with listing all of the RFC defined values individually because it's just for show.
@Di4na One thing we can learn from the Horizon scandal is no matter how bad and harmful your software is, you can keep on doing what you're doing as long as your customer is ok with covering it up.
I prefer the Therac case mostly because it covers multiple mistakes (changing assumptions, ignoring user feedback, reuse of code outside of its scope) and it had actual positive outcomes. Dieselgate might be a better case, since it teaches the developer they're on the hook, not the C-suite.
@drewdevault 100% but I had to assume you mean "allowed in the USA" since trademark law is different where I live and a name of a product/software could be infringed upon without prior registration (but the process of proving that is usually more costly than just outright registering a ™).
@deirdresm@thomasfuchs Please read the Tesla manuals and let me know how to open the rear door in the newest model Y in case of a power cut off without a tool.
The thing is: Tesla doesn't provide a way to open the rear door without power. Having read the manual doesn't resolve the core issue of evacuating a car in case of an emergency.
@gsuberland@dalias@404mediaco Not exactly consumer law this time :( However without going into legal minutae most (if not all?) Polish customers of Newag bought Impulse 2 trains with money from taxes in public tenders. There's an additional book of regulations to hit them with for defrauding the taxpayer which might have EU-wide consequences.