|
oh wait everyone's an independent contractor now, that's how
|
#
?
Mar 3, 2023 19:42
|
|
|
|
| # ? Dec 1, 2023 23:41 |
|
|
One weird trick they don't want you to know (the IRS hates this!!!)
|
|
#
?
Mar 3, 2023 19:43
|
|
|
those fuckers disabled copy-paste in the PDFShame Boy posted:not seeing the part where "developers" are responsible, just the companies they work for, did i miss that
|
|
#
?
Mar 3, 2023 19:45
|
|
|
Bhodi posted:those fuckers disabled copy-paste in the PDF
|
|
#
?
Mar 3, 2023 19:46
|
|
|
The one wholly-good thing, as I see it, from this ideas guy-feeling pdf is that the US administration is codifying working with "the opensource community" (as if there's only one, lol). The rest has all the hallmarks of being a can of worms for anyone who has to deal with it.
|
|
#
?
Mar 3, 2023 19:46
|
|
|
koolkal posted:What's so bad about this? some bad devs itt
|
|
#
?
Mar 3, 2023 19:47
|
|
|
Bhodi posted:those fuckers disabled copy-paste in the PDF i think that's what they mean too. if you work for a company, the company is liable. if you're an individual and personally release some garbage upon the world, that's on you
|
|
#
?
Mar 3, 2023 19:48
|
|
|
Bhodi posted:those fuckers disabled copy-paste in the PDF quote:When companies make contractual commitments to follow cybersecurity best practices to the Copy-pasting works in Firefox's pdf.js 
|
|
#
?
Mar 3, 2023 19:52
|
|
|
BlankSystemDaemon posted:You mean this? Looking forward to some great arguments about "risk mitigation vs risk avoidance" when someone gets sued for not patching their software quickly enough
|
|
#
?
Mar 3, 2023 19:55
|
|
|
BlankSystemDaemon posted:You mean this? "knowingly" lol if you've not learnt to constantly qualify every statement about your work
|
|
#
?
Mar 3, 2023 19:56
|
|
|
I said developers as a catch-all term for anyone, corporate or individual, releasing commercial software. Didn't mean to cause confusion with individual software devs on a particular software program. I do think increased product liability in software and IT products is a very good thing if done right. I just don't have a lot of faith they'll get it right. A good starting point would be to develop a list of "doing any of these things is automatically negligent" standards like hardcoded admin passwords or other common pitfalls. Similar to how medical malpractice is one of the most complicated things to litigate yet there is also a list of things that are so egregious they're automatically malpractice, such as amputating the wrong limb.
|
|
#
?
Mar 3, 2023 19:56
|
|
|
Chalks posted:"knowingly" if they're bringing charges under the false claims act, then yeah, specific knowledge would necessarily be a bar they'd have to clear for prosecution
|
|
#
?
Mar 3, 2023 19:57
|
|
|
koolkal posted:What's so bad about this?
|
|
#
?
Mar 3, 2023 19:58
|
|
|
Chalks posted:"knowingly"
|
|
#
?
Mar 3, 2023 19:58
|
|
|
yeah, oss license liability stuff is important yet basically unlitigated iirc
|
|
#
?
Mar 3, 2023 19:59
|
|
|
if you're an independent contractor then your contracting entity would be liable. this isn't that bad
|
|
#
?
Mar 3, 2023 20:00
|
|
|
Chalks posted:"knowingly"
|
|
#
?
Mar 3, 2023 20:00
|
|
|
BlankSystemDaemon posted:Is that lawyerese, though? This is just an ideas guy memo - if the actual bill is written to include more nebulous language in an effort to make liability violations easier to enforce, that'd certainly have a chilling effect. it kind of is, but that also means that a plain reading (i.e. you have to knowingly lie about a product's security to be charged) is also valid for a layman not that a lawyer's interpretation would be much different though
|
|
#
?
Mar 3, 2023 20:03
|
|
|
Soylent Pudding posted:A good starting point would be to develop a list of "doing any of these things is automatically negligent" standards like hardcoded admin passwords or other common pitfalls. there are already tiers to "negligence" negligence home, negligence pro 2003, negligence enterprise, etc it sounds like the most likely outcome is that a broad disclaimer of all liability wouldn't be enforceable under certain conditions (like idk maybe if you're paying 7-8 digits for software and support) but it's a moot point because the doc is just an overview of general motivating principles and this is just one of like 20 items in there
|
|
#
?
Mar 3, 2023 20:03
|
|
|
Beeftweeter posted:it kind of is, but that also means that a plain reading (i.e. you have to knowingly lie about a product's security to be charged) is also valid for a layman
|
|
#
?
Mar 3, 2023 20:06
|
|
|
Beeftweeter posted:if they're bringing charges under the false claims act, then yeah, specific knowledge would necessarily be a bar they'd have to clear for prosecution I feel like "don't lie to the us gov about the quality of the things you sell them" isn't much of an ask, kind of incredible that it wouldn't previously be a problem? I don't think this would affect writing software bugs unless you have a habit of doing it on purpose. Don't tell anyone your code is guaranteed to be bug free, but who the hell does that? Ill never admit it will even execute until I see it.
|
|
#
?
Mar 3, 2023 20:07
|
|
|
strings virus.exe | grep "NO WARRANTY"
|
|
#
?
Mar 3, 2023 20:10
|
|
|
BlankSystemDaemon posted:Aside from everyone being an independent contractor like Shame Boy mentioned, what happens to the developer of the piece of software from that XKCD comic that holds up everything else, if a company who's using that piece of software as a library or as part of a stack, suddenly decides to throw that developer under the bus because they don't want to be liable? from having actually read section 3.3, it's arguable that the vendor using that library is using "third-party software of unvetted or unknown provenance" as mentioned in the intro the end result of that interpretation would be way fewer cases of companies ripping off open source which is great
|
|
#
?
Mar 3, 2023 20:17
|
|
|
BlankSystemDaemon posted:It's not like the Usanian government is incapable of writing bills that benefit itself if it's supposed to use the bill as a foundation for holding people liable. some of this seems to just signal a strategy shift for DOJ prosecution, i hadn't heard of them bringing anything like this under the false claims act before but logically it does make sense. i don't see why they couldn't to be sure there are parts of proposed legislation in there, but that specific part reads more like a prosecutorial strategy memo to me
|
|
#
?
Mar 3, 2023 20:26
|
|
|
BlankSystemDaemon posted:Aside from everyone being an independent contractor like Shame Boy mentioned, what happens to the developer of the piece of software from that XKCD comic that holds up everything else, if a company who's using that piece of software as a library or as part of a stack, suddenly decides to throw that developer under the bus because they don't want to be liable? the word "developer" appears in the document once, in the following sentence: "Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often bear the consequences of insecure software nor on the open-source developer of a component that is integrated into a commercial product."
|
|
#
?
Mar 3, 2023 20:36
|
|
|
Soylent Pudding posted:I said developers as a catch-all term for anyone, corporate or individual, releasing commercial software. Didn't mean to cause confusion with individual software devs on a particular software program. we certainly got the meltdowns tho!
|
|
#
?
Mar 3, 2023 20:37
|
|
|
koolkal posted:the word "developer" appears in the document once, in the following sentence: This is probably the most salient point in this discussion. There seems to be a lot of copy regarding working collaboratively with open source. Some novice dev that freely publishes an insecure web platform for checking their iot plant moisture sensor is not going to be affected. A commercial company taking the code verbatim and not addressing known security issues before selling a product on the marketplace will probably get slapped.
|
|
#
?
Mar 3, 2023 21:06
|
|
|
At any rate, good luck suing any overseas manufacturer for damages. Unless the liability transfers to Amazon, which would be hilarious. Also, given the current makeup of the US congress, it's unlikely that widespread industry liability legislation will pass for the next two years or so. However, there are already plenty of cybersecurity provisions that are already written into current federal contracts, particularly if you work with federal data. So we'll certainly see how these new regulations play out in the next few years before Biden's administration rolls it out to everyone else in his second term.
|
|
#
?
Mar 3, 2023 21:13
|
|
|
Bhodi posted:those fuckers disabled copy-paste in the PDF on my linux desktop, the only pdf reader I have that actually honors disabled copy and paste is chromium everything else doesn't give a crap
|
|
#
?
Mar 3, 2023 21:31
|
|
|
I loaded up chrome and gently caress I loaded up edge and double-gently caress then I gave up because I didn't care that much
|
|
#
?
Mar 3, 2023 21:38
|
|
|
Bhodi posted:I loaded up chrome and gently caress just use firefox, it's cool
|
|
#
?
Mar 3, 2023 21:39
|
|
|
does firefox have any developers left?
|
|
#
?
Mar 3, 2023 21:40
|
|
|
Bhodi posted:does firefox have any developers left? 
|
|
#
?
Mar 3, 2023 21:42
|
|
|
koolkal posted:Why would you think the individual engineer would be the one held liable lmao Chalks posted:I feel like "don't lie to the us gov about the quality of the things you sell them" isn't much of an ask, kind of incredible that it wouldn't previously be a problem? evil_bunnY fucked around with this message at 23:04 on Mar 3, 2023 |
|
#
?
Mar 3, 2023 23:00
|
|
|
evil_bunnY posted:That's how it works for actual engineering in a bunch of places, and when you gently caress up there are individual consequences. Ah, so to be clear, we will use this new legislation to actually prosecute major government contractors? No? It will be used as a political tool more than anything? Oh, ok.
|
|
#
?
Mar 4, 2023 01:07
|
|
|
"we had an individual bad actor who did not follow our company's policies and procedures which lead to the vulnerability. We have taken corrective action by firing the individual and we are cooperating with law enforcement to aid in their investigation so that this person is held accountable for their actions"
|
|
#
?
Mar 4, 2023 01:24
|
|
|
Volmarias posted:Ah, so to be clear, we will use this new legislation to actually prosecute major government contractors? they don't need new legislation for a lot of it. part of what we discussed before, and what you're referencing specifically, falls under the false claims act which was passed under abraham lincoln
|
|
#
?
Mar 4, 2023 01:33
|
|
|
Shaggar posted:"we had an individual bad actor who did not follow our company's policies and procedures which lead to the vulnerability. We have taken corrective action by firing the individual and we are cooperating with law enforcement to aid in their investigation so that this person is held accountable for their actions" you missed the bit about "all employees will be required to go through a 4 hour policy training session once per quarter"
|
|
#
?
Mar 4, 2023 01:43
|
|
|
random question but what is considered the standard for enterprise wifi these days? is it still certificate-based 802.1x managed by radius with adfs issuing the certs? do any companies have any interesting alternatives to that model? in particular, the adfs component of it? how is azure ad as an adfs replacement for x.509 certs? its been a while since ive had to do any wireless networking poo poo and im curious what this landscape looks like these days edit: i found this, which looks very interesting. i was never a super strong windows admin, but never liked working with adfs. anyone have any experience with this in particular? https://redmondmag.com/articles/2022/02/14/azure-active-directory-certificate-based-authentication-preview.aspx post hole digger fucked around with this message at 02:29 on Mar 4, 2023 |
|
#
?
Mar 4, 2023 02:18
|
|
|
|
| # ? Dec 1, 2023 23:41 |
|
|
post hole digger posted:random question but what is considered the standard for enterprise wifi these days? is it still certificate-based 802.1x managed by radius with adfs issuing the certs? do any companies have any interesting alternatives to that model? in particular, the adfs component of it? how is azure ad as an adfs replacement for x.509 certs? The very high end cloud-managed wifi from aruba will let you do client enroll with an app that checks the client security stance and use saml for credentials so you can use mfa for extra security.
|
|
#
?
Mar 4, 2023 12:04
|
|
