sylver_dragon

My list of items I look for:

• A docker image is available. Not some sort of make or build script which make gods know what changes to my system, even if the end result is a docker image. Just have a docker image out on Dockerhub or a Dockerfile as part of the project. A docker-compose.yaml file is a nice bonus.
• Two factor auth. I understand this is hard, but if you are actually building something you want people to seriously use, it needs to be seriously secured. Bonus points for working with my YubiKey.
• Good authentication logging. I may be an outlier on this one, but I actually look at the audit logs for my services. Having a log of authentication activity (successes and failures) is important to me. I use both fail2ban to block off IPs which get up to any fuckery and I manually blackhole entire ASNs when it seems they are sourcing a lot of attacks. Give me timestamps (in ISO8601 format, all other formats are wrong), IP address, username, success or failure (as a independent field, not buried in a message or other string) and any client information you can (e.g. User-Agent strings).
• Good error logging. Look, I kinda suck, I’m gonna break stuff. When I do, it’s nice to have solid logging giving me an idea of what I broke and to provide a standardized error code to search on. It also means that, when I give up and post it as an issue to your github page, I can provide you with some useful context.

As for that hackernews response, I’d categorically disagree with most of it.

An app, self-contained, (essentially) a single file with minimal dependencies.

Ya…no. Complex stuff is complex. And a lot of good stuff is complex. My main, self-hosted app is NextCloud. Trying to run that as some monolithic app would be brain-dead stupid. Just for the sake of maintainability, it is going to need to be a fairly sprawling list of files and folders. And it’s going to be dependent on some sort of web server software. And that is a very good place to NOT roll your own. Good web server software is hard, secure web server software is damn near impossible. Let the large projects (Apache/Nginx) handle that bit for you.

Not something so complex that it requires docker.

“Requires docker” may be a bit much. But, there is a reason people like to containerize stuff, it avoids a lot of problems. And supporting whatever random setup people have just sucks. I can understand just putting a project out as a container and telling people to fuck off with their magical snowflake setup. There is a reason flatpak is gaining popularity.
Honestly, I see docker as a way to reduce complexity in my setup. I don’t have to worry about dependencies or having the right version of some library on my OS. I don’t worry about different apps needing different versions of the same library. I don’t need to maintain different virtual python environments for different apps. The containers “just work”. Hell, I regularly dockerize dedicated game servers just for my wife and I to play on.

Not something that requires you to install a separate database.

Oh goodie, let’s all create our own database formats and re-learn the lessons of the '90s about how hard databases actually are! No really, fuck off with that noise. If your app needs a small database backend, maybe try SQLite. But, some things just need a real database. And as with web servers, rolling your own is usually a bad plan.

Not something that depends on redis and other external services.

Again, sometimes you just need to have certain functionality and there is no point re-inventing the wheel every time. Breaking those discrete things out into other microservices can make sense. Sure, this means you are now beholden to everything that other service does; but, your app will never be an island. You are always going to be using libraries that other people wrote. Just try to avoid too much sprawl. Every dependency you spin up means your users are now maintaining an extra application. And you should probably build a bit of checking into your app to ensure that those dependencies are in sync. It really sucks to upgrade a service and have it fail, only to discover that one of it’s dependencies needed to be upgraded manually first, and now the whole thing is corrupt and needs to be restored from backup. Yes, users should read the release notes, they never do.
The corollary here is to be careful about setting your users up for a supply chain attack. Every dependency or external library you add is one more place for your application to be attacked. And just because the actual vulnerability is in SomeCoolLib.js, it’s still your app getting hacked. You chose that library, you’re now beholden to everything it gets wrong.

At the end of it all, I’d say the best app to write is the one you are interested in writing. The internet is littered with lots of good intentions and interesting starts. There is a lot less software which is actually feature complete and useful. If you lose interest, because you are so busy trying to please a whole bunch of idiots on the other side of the internet, you will never actually release anything. You do you, and fuck all the haters. If what you put out is interesting and useful, us users will show up and figure out how to use it. We’ll also bitch and moan, no matter how great your app is. It’s what users do. Do listen, feedback is useful. But, also remember that opinions are like assholes: everyone has one, and most of them stink.

Make sure those tablets get baked by a fire when your city is pillaged and burned. Raw clay doesn’t stand up well to water.

When you die, they will put two dates on your tombstone. The day you were born and the day you died. And, in between will be a little dash. That dash represents everything that mattered about your life. All your achievements and failures, all your joy and all your pain. All roll up in just a little dash. Make the most of it before that second date is written.

https://www.youtube.com/watch?v=otdii_hrT4Q

Expect a lot of boredom.
While my experience is from different states, I’m pretty sure that part is universal. Bring a book. Listen to instructions and just go with the flow. But mostly, expect to be bored.

I was lucky that, despite being somewhat religious, my parents were fine with me being an atheist. We would even debate the merits of religion and they did not have any issues with my questioning of their beliefs. Both were Lutheran and they had raised me in that tradition. I went to Sunday school, attended the Lutheran Catechism and reached the point of Confirmation. And that was right about the time I realized that the whole thing seemed to be based on a bunch of old stories with no more evidence than elves or faeries. And that was always the crux of my issue with their religion, and one they could never argue past.

When it came to my kids, they have been raised with my complete lack of belief and my wife being agnostic. We spend our Sunday mornings sleeping in and not going to any sort of church/temple/forest altar. Though, that last might happen, if it’s ruins at the end of a nice hike. My parents never expressed any disapproval and the lack of religion was never an issue. Technically, my mother is still kicking about and could suddenly go off the deep end, though I strongly doubt that’s in the cards.

At the same time, my wife and I had discussed religion before we had kids and what we might do in the event it became an issue. The simple answer was, “fuck 'em”. I love my parents, but my kids come first. If my parents had decided to get stupid over us not indoctrinating our kids in their fairy tales, then I would have just removed them from my life a few years before death did it anyway. Sure, it would have meant the kids never knowing their grandparents. But, there are lots of assholes in this world, I don’t see the need to personally inflict them all upon my children.

The best thing you can do is talk to your partner and have a plan. I would say that, if you expect it to be a point of contention with your parents, you might want to talk with them about your views on religion before it gets to that point. It doesn’t need to be anything confrontational, just be up front and say, “I don’t believe what you do”. You don’t need to go on a Dawkins style, “your religion sucks and you are morons for believing it.” Just make it clear that you don’t believe. It’s still entirely possible to have a warm, loving relationship with folks who don’t believe as you do. It just requires that each side treats the other with basic human decency and respect.

I generally use the OS which fits what I am trying to do. For my desktop PC, I run Arch Linux as it lets me game, run VMs and have a high level of control over what the system is doing. The VMs are mostly Windows for testing stuff and one running Ubuntu as a host for PolarProxy. My server runs Ubuntu, though really just as a platform to host docker containers. That was a decision I made years ago when I knew a lot less about Linux and was looking for something which was more turnkey. My work laptop is Windows, because my work is mostly a Microsoft shop. But, I have WSL running both Ubuntu (for the SANS Sift framework) and Kali.

An Operating System is a tool. Don’t get wedded to any one OS.

Porn.
All six of them, just different forms of porn.

Popular beliefs influences people’s beliefs, which reinforces popular beliefs. Step back even farther from the question for a moment and ask, “why do you think of ghosts as dead human spirits at all?” That a “ghost” is some sort of dead human spirit is a concept that has been built into Western society for a long time. It is something we just accept in story telling and mythological belief systems because it’s been in them so long and is told to us via authoritative figures in our lives from an early age. To tell a story where a ghost is anything other than a dead human spirit or the echo of a dead human, makes people call bullshit on the story, because the story has broken a long standing societal expectation. Sure, some stories can get away with it, and more so in the modern age where we are starting to appreciate stories which subvert long standing expectations. But, we still tend to fall back on old tropes and devices which we can expect readers to understand, without having to spend too much time on building a world. It’s far easier to save the term “ghost” for something much like a dead human spirit and just create a new term when trying to describe something else.

It was the Limon 7 ones. I would have never remembered that. But seeing them now, yup that’s them.

I don’t think so. I recall Fundip being in large pouches with the pressed sugar sticks for dipping. These packets were a lot smaller and didn’t come with the stick.

Yes, Ubuntu version 16.04 was called Xenial Xerus.

Similar age and ya, I remember sour packets being popular in middle school. Can’t recall the name, but it was similar to the artificial sugar packets used for coffee, except it had a mixture of sugar and citric acid (the “sour” flavoring) in them.

He chased a ball into the street.

It just depends on which type of racing game you are in the mood for. Mario Kart is well, Mario Kart. F-Zero always felt more like the older, arcade style racer in the vein of Out Run.

Na, my experience is that Defender is fine with users downloading browsers and “updates” from random Russian sites. It’s happy to let the users install that software and only bothers to log a “hey, maybe this was bad” alert some time later. Edge, on the other hand, loses it’s shit when you visit the official download sites for Chrome or FireFox.

You only get a short time with the pointy end of the spear and then once a sword wielder is inside your range, you’ve got an unwieldy stick and they have a sword. Good for stand off melee maybe but prob not.

Yes, but getting in close without getting stabbed is really hard.
Here’s an actual example of modern HEMA folks giving it a lot of goes:
https://www.youtube.com/watch?v=uLLv8E2pWdk

That sounds more like a feature than a bug. I remember when Twitter was actually useful. You could sort by “new” as the default and your feed only included stuff from people you followed. And then it went to complete shit with the sort defaulting to “fuck your preferences”, sponsored content and your feed being littered with click bait, paid content and all the other bits of enshitification. And that is all built on the algorithmic selection of content.

I don’t see in what way having a PSN account would make Horizon Zero Dawn safer on PC.

It’s safer for Sony’s stock price, as they can report higher numbers of people on the PlayStation Network and greater “player engagement”. What, you thought this was about improving the experience for the customer? No one gives a fuck about them.

Step one, take a deep breath and realize that, unless you own the company, killing yourself to save it is dumb.
That said, there are some things you can do to try and improve thing:

Learn to “talk business”. Yup, this one sucks, but it’s also the only way you are ever going to get traction. Take that Windows 7 system, why do you want to upgrade it? “Because security”, right? Well, how does that translate into costs to the business? Because, businesses don’t care about security. I work in cybersecurity for a large (Fortune 500) company and upper management has given exactly zero fucks about security for a very long time. They only started coming around when that lack of security starting costing them real money. They still give zero fucks about security, but they do care about risks to the business and what that might cost them. Having security and money linked in their heads means we can actually implement better security. You need to put the lack of security of that Windows 7 system in terms of dollars potentially lost. Something like the Annualized Loss Expectancy. If that box gets popped, how much would it reasonably cost the business to recover from? Is that something which you expect to happen once a year, once every five years? These numbers will be mostly made up and wildly inaccurate. But, the goal is to just get in the right ballpark. How does that cost compare with the cost to upgrade? What about other possible mitigating controls you could use to protect it? Does it need to have internet access? Could you VLAN it off into it’s own little world and keep it running with reduced risk? Give management the expected costs of that system becoming patient zero in a ransomware outbreak and then give them several options and the associated costs (upfront and ongoing) to secure it. Have multiple options. A high cost one (e.g. replace the box), a low cost one (FW and VLAN controls) and the one you actually want right in between (OS Upgrade). Managers are like children, they need to feel like they made a choice, even if you steered them into it.

Next, don’t try to boil the ocean. You’re not going to fix everything, everywhere, all at once. Get some small wins under your belt and prove to management that you aren’t going to break the business. Show that you aren’t just some greenhorn cowboy who is going to break the business because you think you are so smart. If you can make a plan for that Windows 7 system, show the costs involved and actually get the job done smoothly, then you might be able to move on to other things. Sure, you might actually be right; but, you could also end up breaking a lot of stuff in your quest to have perfect security (which you’ll never actually achieve). Take one one or maybe two things at a time. It’s a slow process and it leaves things broke far longer than you will like, but it builds trust and gets more action than just screaming about everything at everyone. Slow is steady, steady is fast.

Moving on, be aware that you probably don’t know everything about the business, and the business functioning is paramount. Why does everyone have local admin? Because that’s the way it’s always been and it has always worked. If you start pulling those permissions back, what processes get broken? This is a tough one, because it means documenting other people’s processes, many of which probably only exist in the heads of those people. How often are people moving around critical files using CIFS and the C$ share. It’s fucking stupid, but there’s a good chance that the number is greater than zero. You pull local admin from people, and now work doesn’t get done. If work doesn’t get done, the business loses money. You need to have a plan which shows that you have considered these things. Design a slow rollout which phases local admin rights out for the users who are least likely to affect the business. Again, slow is steady, steady is fast.

And thins brings us to another point, auditors are your friends. No really, those folks who come in and ask you where all your documentation is and point out every single flaw in your network, ya, they deserve hugs not hate. You’re in healthcare, where does your business fall on regulations like HIPAA (US-centric but similar regulations may apply in other countries)? 'Cause nothing says, “fuck your wallet” to a business quite like failing an audit. If you can link the security failures of the business to required audit controls, that’s going to give you tons of ammunition to get stuff done. I’ve watched businesses move mountains to comply with audit controls. Granted, it all becomes “checkbox security” at some point; but, that is vastly better than nothing.

All that said, company loyalty is a sucker’s game. I’m guessing you’re early in your career and an early IT career likely means job hopping every 3 years or so. Unless you get a major promotion and associated pay bump in that time, it’s probably time to move on. Later in your career, this can slow down as you top out in whatever specialization you choose (or you get lured in by the siren song of management). So, there is that to consider. It might just be time to go find greener pastures and discover that pastures are green because the cows shit all over them. But, it can feel better for a while. Having your resume up to date and flying it out there usually doesn’t hurt. Don’t job hop too fast or you start to look like a risk (I stick to a 1 year minimum). But, don’t stick around trying to save a sinking company.

Along with that, remember that you don’t own the company; so, don’t let it own you. When you get to the end of your day, go the fuck home. Don’t let the business consume your personal time in actions or thoughts. If they place burns, that’s the owner’s problem, not yours. Do your best while on the clock, do try to make positive changes. But, killing yourself to make the owner just a bit richer makes no sense. The only person who is ever going to truly have your best interests in minds is you, don’t lose sight of them. Say it with me, “Fuck you, pay me”

So, where to go from here? Well, you sound like you have a good plan at the moment:

I am also looking into getting my Linux+ (currently only have my A+)

Sounds solid. If you care about security, let me recommend poking your head into the cybersecurity field. I’m am absolutely biased, but I feel it’s a fantastic field to be in right now. Following up the Linux+ with the Sec+ can be a great start and maybe the Net+. The A+, Net+, Sec+ trifecta can open a lot of doors. And you now have some IT/systems background, which I always suggest for folks (I look for 3-5 years in IT on resumes). As a lead, I get to be in on interviews and always ask questions about networking, Active Directory, email security and Linux. I don’t expect entry level analysts to know everything about all of them; but, I do expect them to be able to hold a conversation about them.

Good luck, whatever path you choose.