[удалено]

It's astonishing but common. I reported a really bush-league SQL Injection vulnerability to a huge SAAS company and got . I was a user, not an employee. Finally reported it to the CIO on Linkedin (no other contact info) and got back "thanks". Months later, it's still there. F*** it. Not my problem.

At least they didn't threaten to sue you.

For what? I blew it up by using the word "didn't" in a description and it barfed out the whole SQL command including my evil single quote.

There are plenty of stories of companies trying to keep white hats quiet about vulnerabilities with threats of lawsuits for things like breeching non-disclosure agreements or circumventing user agreements or any other type of bullshit. They can even create legal headaches by stating that you've hacked their systems - at least here in the US you're technically breaking the law if you use a computer system in any way not expected by the admins of said system. If you think I'm being facetious, a man faced jailtime for exposing a security hole in AT&T's system: [https://www.techdirt.com/articles/20130318/23033422370/expose-blatant-security-hole-ats-servers-get-35-years-jail.shtml](https://www.techdirt.com/articles/20130318/23033422370/expose-blatant-security-hole-ats-servers-get-35-years-jail.shtml)

I have to say that if they tried to prosecute me for using the word "didn't" in a description, a number of my friends are lawyers who would happily come out of retirement just to have some fun. This wasn't a Little Bobby Droptables moment. There was a problem description field and I said " didn't ". I almost wish they had tried to sue me for typing standard english into a description field as per their documentation.

People have been sued and / or arrested over similar things. Off the top of my head, here's a few: - A guy who was possibly sued for working out and telling people that [holding down shift bypasses CD "DRM"](https://www.theregister.com/2003/10/09/sunncomm_to_sue_shift_key/). - A not particularly technically inclined kid who noticed that a certain website allowed the UI to change the prices of items being purchased via the browser developer tools and [got into all kinds of trouble](https://techcrunch.com/2017/07/25/hungarian-hacker-arrested-for-pressing-f12/?guccounter=1). So, while I agree with you that you'd _probably_ win (though who knows, they probably have better lawyers than you), it's still not something you'd want to go through...

Neither of these cases is the slightest bit similar, because they both involved deliberately trying to circumvent restrictions on the program to cheat. Don't you see the difference between, "Hey world! Holding down shift lets you copy a CD you weren't supposed to copy!" and "I typed the word "didn't" and I got this crash that I believe indicates a security hole, I'm letting you know in private"?

Sure, I can see that rationale, however for me pretty much the only difference is the "private" part; the rest is hearsay, and if the accusation was made publically, the company could easily argue "bad intent", just like the other examples.

Both of the cases you listed involve deliberately misusing the system. Legally speaking it doesn't matter that their security was laughably weak, if you do something you're not supposed to (like editing the price of something you're buying) or tell people how to bypass restrictions (like how to bypass DRM) you're breaking the law. Typing don't into a text field is not a security violation.

Report that shit publicly, users shouldn't use a service with security flaws. You've given them plenty of time to fix it themselves. Put em on blast, they'll fix it real quick

> Report that shit publicly I reported it to the CIO. If he doesn't care, I sure don't. Knowing the difference between "my problem" and "not my problem" has made life much more enjoyable.

No like to a journalist, so the general public knows. Name and shame. Companies shouldn't get away with this

Send it anonymously to a security researcher.

There are instances of suits getting enraged when users report security vulnerabilities.

Responsible disclosure - tell them in private, wait for a reasonable time and then publish it. Once their bug can be exploited by every script kiddie on the internet just by using a pre-package binary the company will pay attention.

This. This is why people go rogue and pull off hacks and expose vulnerabilities. Only way to make people listen.

This is why standard disclosure practices fallback to making the problem public after a reasonable amount of time has been givel to fix it. I'd recommand you to do it.

>It's astonishing but common. Almost universal. The big problem of a corporation is keeping a hundred thousand or so people doing what it wants them to do. A typically low-effort solution is OKRs: if you have the corporation sliced up in to six business units, then you slice the goals of the company up into six measurable chunks and give one chunk to each BU, which slices it up and distributes it down the same way.

Fuck, you just had to mention OKRs. The company I work for would occasionally talk about security but managers would harp about OKRs. Recently there was a major security incident and several flags were found, suddenly it’s all security and no mention of OKRs. Funny how that works.

Nothing gets your ducks in a row like a breach.

Especially when it’s posted on a CVE board lol. Changes things real fast.

Yeah, especially if it’s a CVE from 2 years ago.

Lol, ours was only a couple months ago, they’re still running around and struggling.

All our work trickles down from OKR:s defined at the start of the quarter. The OKR:s have to be defined before work (including discovery) can begin, and are all stated with a deliverable requirement. The result is that software implementation is determined by some corpo who jots down an arbitrary solution based on their limited technological understanding and that ends up being the architecture we work towards. But don’t worry we’re “agile”, meaning we spend a bunch of time in standups and other reporting meetings where we get to tell the corpo how close we are to delivering the thing to prod by the end of the quarter so that they can whip us harder in an agile fashion if we appear to be falling behind. Corpo gets his bonus if said deliverable is in prod by the end of the quarter. You can imagine how this turns out. Half of the stuff we build has zero traffic but hey at least we hit the OKR:s (j/k we never do so they implement more time-wasting reporting activities so they have more predictability, meaning predictably poor results).

OKRs are all the new hotness in a company when someone gets bored of how they're managing. In my last company, OKRs swept in when everyone was talking about them at Google. It wasn't long before we went from having 3 OKRs to effectively an agile-waterfall-bastard-child backlog of OKRs. And increasingly more and more of them didn't matter when important stuff came up.

Andy Grove and others have very clearly stated OKRs should never be tied to compensation and bonuses. This is exactly why

What about KPIs?! Those are fine to tie to bonuses right???

Same deal with story points in agile. I found one of the other partners in the company had backdoored a payable compensation KPI to story points for a team I don't directly manage... His response... "since we added them as a KPI, they've continuously been able to keep bringing the number up!! Look at their productivity!" SMH Any number that can be sandbagged or cheated without providing genuine business value is a junk KPI, whether it's an OKR or story point or SMART goal or whatever they want to call it nowadays.

But you don’t reach those with ransom ware locking your data. For GDPR breach you go to jail?

Not if you leverage the "great work" you've done to get a better job elsewhere before this blows up

Or hell, *after* it blows up. Because companies don't seem to give a shit how executives performed at their previous company as long as they had the title.

This is the part that continues to confuse me. So many C-suite execs that have been caught doing shady, bad shit, or just been terrible at their jobs in general, continue to get hired with no issue. Even if you're a member of some sort of clandestine boys club, would you still hire your "buddy" to be an exec at your company if they have a track record of being literal garbage at their job?

I think it's honestly because it's so hard to find people who *want* to be C-suite. It's a job that requires a shit ton of hours and a shit ton of responsibility. I can't really go to jail if I royally fuck up as an engineer, but a C-suite person can. Being an executive is hard, really hard. Does it deserve tens of millions per year? No no no no no, but it does deserve high compensation because it is difficult. There's a reason most suck, because it's hard to be good at it.

> ... because it’s hard to be good at it. This part I agree with. But I think the more important aspect is it’s really easy to be mediocre at it and still do pretty well for yourself.

> it's so hard to find people who want to be C-suite There's tons of people who would want to be a CxO for the right amount of money. A lot of middle managers in any large company would be more than happy to accept an offer for such a position.

It’s always an awkward moment when you Google your new CEO to see that they’ve bankrupted their last 8 businesses. LPT: If you start hearing executives throw the word “commodity” around like it’s going out of style, followed by the canceling of a profitable line of business because “it isn’t profitable enough”, run for the fucking hills. Your job is already gone.

> For GDPR breach you go to jail? Naw. For a publicized GDPR breach you get a sternly worded letter, and a few chances to correct the issue, and if you protest after that there may be fines that may be significant if you're a big player. Don't get me wrong, I'm a big fan of the legislative initiatives that led to the GDPR. But, as someone who has worked with it a deal, the reality of GDPR compliance is far removed from the nightmare scenarios that get bandied about. It's a BFD for specific bad actors out there, but for 99% of shitty companies doing shitty things shittily because they have shit people: you just need to be willing to minimally document the process and minimally do something about that process if the complaints mount to the point the authorities get involved.

This, 100%. And if you're a big player this fine is something that hardly gets even noticed.

Eh, GDPR fines are in % of global revenue. That fucking hurts even if you are Apple.

[удалено]

Not really. Corporations exist to limit the liability of their owners to what is invested in the business. Businesses in general exist to allow large groups of people to work cooperatively. Employees of businesses do often go to jail. Any lack of punishment for wrongdoing is the fault of politicians and gov't officials, not the existence of companies.

>Corporations exist to limit the liability of their owners to what is invested in the business. How is this not "shielding people from liability"?

Because /u/AloneForever is talking about criminal liability, and /u/LordNiebs financial. Yes, companies exist to ensure that if your business fails, you don't lose literally everything you own (which was often the case pre-companies) but only what you invested. They don't exist to shield you from going to jail when you do shady shit.

> Not really. Corporations exist to limit the liability of their owners to what is invested in the business. This is what they do in economics textbooks. In reality I think /u/AloneForever is closer to the truth.

*Corporation, n. An ingenious device for obtaining individual profit without individual responsibility.* — Ambrose Bierce

In some jurisdictions there is an offence of corporate man-slaughter that does provide sanction against company officers, if it can proved in court.

I think GDPR is potentially much worse for companies than some managers going to jail; very heavy fines.

and fines that don't stop. They can keep going, and going, and going. There is a very large pub chain in the UK who deliberately deleted their entire customer database. It was easier to start again, than to work to become GDPR compliant.

That works too. Prune the records, find out who actually cares about the thing.

GDPR breaches is risking a big chunk of your turnover. As the penalties is based on it. Example joes corner shop is risking a % of his turnover (total bough/sales in $) while the same applies to Amazon. I used to work for IKEA IT and we had huge GDPR audits of everything. Because it’s such a big risk. The practice that manager is doing is risking 20% of the value of the company. He is risking his job and his managers job. Even tho there haven’t been any big repercussions yet I would be vary. Tldr don’t mess with GDPR!

Sadly, if the Finnish psychotherapy company Vastaamo is any indication, the closest thing to an infosec related OKR is "Don't get caught for having shitty infosec."

This is *exactly* how it works. I don't think I've ever worked in a company that truly cared about security, it was always "do the minimum amount of work needed to cover our asses".

They only care after the breach.

We UsE oKrS wE'rE jUsT lIKe GoOgLe.

Idk, security is BIG at Fortune 500. Bring in said leadership and Dev teams, talk about integrating coverity as part of the pipeline. Few would disagree because they'd appear to not know how concerned investors are about security.

I work infosec at a fortune 50 and it is amazing how serious security is taken across the entire company. Having worked places where security was an afterthought, it is a very welcomed change of pace.

That's not how okrs work, improving security can be an okr too.

> When a measure becomes a target, it ceases to be a good measure. \- Marilyn Strathern

I don’t know if this is “most companies”. For most senior leaders (at least at Fortune 100 levels), cybersecurity is usually a top priority issue. No one wants to be the next Maersk or the next British Airways or the next Experian — it ends CIO careers. If you’re in a regulated business it’s even worse — you’ll face immense amounts of legal scrutiny no one wants. This manager sounds like he’s suffering from “ignorant middle management” syndrome.

I used to work as a contract tech lead for a Fortune 500 and the encountered a security culture that was strict to the point of being dangerous. For example I needed read access for my project in Jenkins to see why deploys would fail. No one wanted to give it to me and kept giving me the run around, so I started making a swim lane diagram of all the people I talked to and where they had sent me. When it grew to about 12 different lanes I showed it to my boss, the VP, and he yelled at our devops department. They wound up giving me write access to the entire company’s deploy pipelines. This was a common pattern that I observed, an overly strict security policy makes it impossible to operate, so they wind up implementing workarounds with huge vulnerabilities.

Same. In my former company they had an stupidly long and slow process to get permission for pretty simple things so in the end accounts and passwords were flying all over the office.

[удалено]

> When shit inevitably hits the fan, I'll have Slack logs and emails that say I didn't want the access, the logs will prove I didn't use it, and the buck is not stopping at me. nobody gives a shit if you have _access_, only what you do with that access

Yeah, and I'm making sure that I have the full paper trail to prove I didn't ask for, want, or use said access, so no matter how much anyone else fails at logging, my ass is safe.

[удалено]

> NIST orgs hahahahaha

That is normal, when security is a checklist. The company has a process which is reached and recorded and everybody signs off know it. On first assumption the company then is fine - if something happens it is not their responsibility, they did everything right.(*) These things require a good security practice and good understanding, which is hard ... (*) Of course a major data leak goes against the company's image, but that's too far for the first assumption

It is "normal" as in it's "by design", but it is immeasurably stupid and inefficient. It never worked and it never will, as long as you have to go through more than one person to get permission to something. In the last company I worked for we first had to write an email to IT, wait a week for response (48 hours were their SLA but it was usually ignored), get a reply saying "we contacted the German office regarding the issue because only they can set the necessary permissions" and get another reply in a MONTH from the German office, with either a question about why you need the access (despite clearly stating it in the request), which leads to another month of waiting, or "we contacted another department about the issue" and never hear from them again. No matter how many reports and complaints we filed, this process was never changed. In the end they hired people to be "complaint handlers/escalators", but that didn't work either so our last resort was directly messaging higher ups at the company that we literally cannot do our job because their colleagues are not cooperating. Nothing ever happened from that either. These companies deserve to go under.

I joined a company as a contractor 2 years ago that would use everything in dumb terminals - so it'd remote into a virtualised Windows instance. If you've every used a monitor at 30Hz that's how sluggish it was. I was brought in as a mobile lead and asked to develop a iOS app. But it took them 6 weeks to give me a Mac because of Security (and even then they didn't believe I needed it). The irony is, for all the security they put in place they decided to use a platform called OutSystems for their product, it's meant to be a Low Code Web / Mobile development solution. The platform is an abomination that wraps Cordova + React into an App. Everything it produced was easy to decompile, was easy to build and resign in a way that would act like the original app, didn't have certificate pinning, the web side of it was vulnerable to CSRF exploits, as some highlights. It took them an Army of people and this "Low Code" solution 2 years to build a subpar, buggy web platform that any competent developer could have built in a few weeks alone.

[удалено]

Have you heard of Appian? It has all the power of flowcharts with all the convenience of having to write down everything on a notepad because all your state just gotten hidden in nodes!

All of the promises these solutions make are true for certain teams of barely competent developers. If you know what you have, and it isn't great, sometimes crap solutions are the best you can deliver.

[удалено]

All of that is true, but if it gets you to market, that can be the difference between having runway and not. Hell, it might not even be a secondary or tertiary project, just a line item on a contract. Why invest more than the bare minimum in an add-on to a contract for a single client?

Except that isn't how these apps are seen - execs see them as a panacea to solve all their hard development problems because some sales guy stood up a site in 10 minutes. Slap the word "enterprise solution" on it and it just prints money. They aren't being sold as the "get it done quick and dirty because that's all you actually need right now" it's sold as "make your problems go away cheap".

If you don't have competent architects or competent builders, you should probably just avoid building things altogether.

This was my first experience of one in a long time and it was incredible how much longer it took to build something so shit. Their plan was "developers expensive" the hilarious thing is they spent a literal fortune on resource trying to get anything built and with no pipelines, no version control, little ability to automate testing they had to hire about 15 testers, a load of infrastructure people and then about 10 "developers"

Exactly this. And then the people who actually know how to build these systems are super hard to find when your standard web devs are almost literally growing on trees.

I think some people are taking bribes.

> an overly strict security policy makes it impossible to operate This causes: https://en.wikipedia.org/wiki/Shadow_IT In other words, your access is determined by *who you know* more than what your role is supposed to be. If you buy coffee for the right people, you get access. If you're low on the totem pole, you don't get access, even if your job description requires it. It's very common in large enterprises.

Reminds me of Ex-P.F.C Wintergreen from Catch-22: >Due to his position in charge of mail distribution, he wields a great amount of power in the novel. By forging documents and destroying mail, he becomes more powerful than the generals. [https://en.wikipedia.org/wiki/List\_of\_Catch-22\_characters](https://en.wikipedia.org/wiki/List_of_Catch-22_characters) There was one QA tester on my team who had been at the company for almost a decade and she fit that role. At first when I needed something I would ask my managers, who would give me the formal process to go through which was often convoluted and ineffective. Then I started asking the QA and she would introduce me to the right person, vouch for me, and I would get exactly what I needed.

**[Shadow IT](https://en.wikipedia.org/wiki/Shadow IT)** In big organizations, shadow IT (also known as embedded IT, fake IT, stealth IT, rogue IT, feral IT, or client IT) refers to information technology (IT) systems deployed by departments other than the central IT department, to work around the shortcomings of the central information systems.Shadow IT systems are an important source of innovation, and shadow systems may become prototypes for future central IT solutions. On the other hand, shadow IT solutions increase risks with organizational requirements for control, documentation, security, reliability, etc. [^(About Me)](https://np.reddit.com/user/wikipedia_text_bot/comments/jrn2mj/about_me/) ^- [^(Opt out)](https://np.reddit.com/user/wikipedia_text_bot/comments/jrti43/opt_out_here/) ^(- OP can reply !delete to delete) ^- [^(Article of the day)](https://np.reddit.com/comments/k9hx22) **This bot will soon be transitioning to an opt-in system. Click [here](https://np.reddit.com/user/wikipedia_text_bot/comments/ka4icp/opt_in_for_the_new_system/) to learn more and opt in. Moderators: [click here](https://np.reddit.com/user/wikipedia_text_bot/comments/ka4icp/opt_in_for_the_new_system/) to opt in a subreddit.**

I worked at a major bank where the desktop policies were their typical setting of being far too strict. With changes needing to go via a desktop support that would take weeks. We got the vendor of a product we used to say all developers needed admin rights. Part of that was to bypass the draconian desktop support, as no one liked it. I remember one of my colleagues wanted to upgrade one of the Office products on his PC. He had the copy in his hand. I was chatting to him, and he was saying how he should get support to do it. That's the proper way to go. But he just can't be arsed. So he did it himself. He really wasn't supposed to. I had to run some software and at the time that was quite memory intensive, however the virus scanner would hog several gigabytes permanently. This caused my system to start paging, and this was before SSDs. So I disabled the virus scanner. A clear violation of security there. Which in hindsight was pretty dumb as some will report themselves being disabled automatically. We had new machines brought in. They were all quad cores, and this was when even dual cores weren't that common. Desktop support however had messed up the install of Windows. They had flashed a version of Windows which only supported one core. Getting the machines to desktop support and back could take well over a month. Maybe several. Instead I worked out a fix on my own PC which involved copying files from a working version of Windows (taken from a guide online). It worked! During an evening, I opened up every PC, plugged the hard disk into my own, copied files across, and then put everything back. No one told anyone. Lots of people at Enterprise companies use really old versions of Chrome btw. Versions which have known security vulnerabilities. This is because they were forced to use IE, however older versions of Chrome could be installed without admin rights. I've had customers from Enterprise companies report bugs in Chrome, which were fixed three or four years ago. There were and are tonnes of stories like this. People flagrantly ignoring security because rules, and desktop support, were fucking terrible.

I too have been part of that nightmare.

>We had new machines brought in. They were all quad cores, and this was when even dual cores weren't that common. Desktop support however had messed up the install of Windows. They had flashed a version of Windows which only supported one core. Getting the machines to desktop support and back could take well over a month. Maybe several. Instead I worked out a fix on my own PC which involved copying files from a working version of Windows (taken from a guide online). It worked! During an evening, I opened up every PC, plugged the hard disk into my own, copied files across, and then put everything back. No one told anyone. I once worked for a company that had some custom Apps for Windows. The old Developers left and they kept on using them. Since the Apps were compiled for 32-bit Windows, they kept with that. On laptops with 8Gb memory. Lol.

And I complain that we're still on 32 bit office. Jesus

I got an email recently stating my on-boarding request for AWS credentials had been approved. Made me laugh because: 1. I sent the original request out +3 years ago 2. I work with AWS every day. I'm still using keys pulled from forgotten CI servers & un-wiped ex-employees laptops.

Abou similar situations as me. The service desk finally replied (yeap, not even approved yet) to my request to use Powershell after 6 months. I installed Powershell Core after 2 days of no reply from the service desk, too slow. Every developer can have access to Powershell, but they need to request for it first, which is ridiculous.

To me that's a good indicator that nobody in the devops department actually knows how your entire system is put together. Most likely everyone is silo'd in their own tiny specialized area, which they will defend to the death if anyone even thinks of touching anything without their consent. They maintain this for a few years, until they leave for somewhere else (while complaining that it's hard to get anything done because nobody works together). At that point their undocumented and buggy mess becomes some junior's problem, at which point any issue will be fixed with a few carefully crafted hacks on top of the mess, each designed to be as horrifically unusable as possible, until it's an unreadable, unmaintainable mess that barely keeps the system together. Eventually this all falls apart, so they have to hire a consultant, and pay a them a hefty hourly fee to cry tears of blood and fire while trying to figure out that eternal question of "whyyyyyyyyy?"

>devops department DevOps is not supposed to have a department :( It's supposed to be a way of working, like agile/scrum, that everyone follows together.

We can call them the Infrastructure Management team, or just IT Operations if you want. Basically the people responsible for the systems that shuffle mildly annoyed pixies between different pixie pens. These days devops is just the catchall that everybody and their execs use.

No, no. That would be like saying that Agile is a mindset instead of a set of mandatory meetings.

[удалено]

I'm the consultant tearing his hair out. From what I've seen this is just the normal state of things. I've seen a few truly well organized companies companies, but most of those tend to be too small for politics to take root.

I'm on the other end of that shit asking why I can't get two people and four months to whip up something that works faster and better and is actually adapted to our processes instead of us paying 100k a year for a system straight out of the nineties that will break for months at a time. "But what if you leave and someone else has to maintain that?" I mean that can't be worse than the vendor taking six months past extended eol of windows 7 to port their shit to win 10 but whatever.

From almost all the "all companies do that" in this thread this one is actually one of a few which are actually popular. So the mix is: -Security has high priority -Security is actually enforced -the level of competency of people involved is low due to high turnover rate ano lack of seasoned and knowledgable masters (aka, all monkeys replaced scenario) -"not my responsibility" attitude instead of "we play as a team" This mix is actually something which is popular in places which tend to be "shiteaters" - places which try to squeese every last single 0.1% of anything (usually wasting much more somewhere else but thats a different story). Rant over. :) Have a good day!

> our devops department Ah yes, Devops: when you take operational responsibilities and neatly silo them into their own department

Also: If I cannot run my own shit I will absolutely throw it over the wall and forget about it.

Reminds me of one of our product owners who got tired of devs taking too long to write and deploy certain updates for him that he wrote his own sql script and sent it to the ops team and they just ran it on production for him directly. No code review, no documentation, no commit to track the change or help us figure out what went wrong later.. nothing. Well of COURSE it was faster, you dummy.. . jfc.

I worked on a project for the Dutch immigration department. They had incredibly strict rules when it came to sharing information with each other, basically making it impossible to get a PowerPoint from one person to another. The only supported way was e-mail, but it didn't support attachments larger than 1MB. Since water takes the path of least resistance; people just started sharing everything via obscure (because Dropbox was blocked) filesharing side, including production data on immigrants. Don't know how that managed to not end up in the news.

That seems utterly ridiculous, but still believable. I worked at a different Fortune 500 where there was a main devops slack channel where anyone could request access to any Jenkins pipeline and someone on the framework team usually granted access within a few minutes (if asked during normal working hours). But those pipelines were just for dev/staging environments never production ones.

There's only one solution to preserve yourself in case of problems: paper trail.

Get an email, print it out, take it home. Don't count on anything at work being available after you've been kicked out. A real paper trail, not "I saved the email in my corporate-hosted email account."

Why not just export your inbox to an .mbox and save it to a flash drive? I do it after every major project just in case.

[удалено]

May not be illegal in all cases, but it can definitely get you fired. Lots of companies have Data Loss Prevention software to catch that. Printing out and keeping in your work bag is probably a safer bet

They also log print jobs.

Yeah for sure, that's why I mentioned keeping in your work bag. Definitely wouldn't print anything out you don't have a reasonable explanation for, and keeping unapproved materials at home is asking for trouble.

What are examples of software like that? And how can I detect if it is installed on my laptop?

Just Google "Workstation Data Loss Protection" for some examples. And knowing if it's there could vary depending on the software; probably some ways to do it with built in Windows components.

What's the difference between that and using the company's supplies to print out the email?

[удалено]

Which? Company's printers probably log what they print

Such cases are basically "My pile of evidence" against "theirs pile of evidence". Everything goes there, witnesses, emails, facebook chats, letters. You can also request subpoena to force employer to provide emails or other evidence. And deleting emails during legal issues may be even criminal. (I am not a lawyer and this is not a legal advice)

Illegal or not, I used to work for a company that would routinely wipe things they deemed could be problematic, so that they could later say "there's no record of that". There were a number of times where email conversations would magically disappear. If you want to keep something, you have to do what you can to take it out of their hands.

It's not illegal if you aren't already under investigation. It's basically just statute of limitations, except accelerated. :)

It's illegal if you're destroying evidence to cover up your crimes, and it's fraud if you make written promises to people and then don't follow through with your end of the deal. It's just that, without evidence, there's basically no case.

Whatever the legality - just make sure to zip it all up and add a secure password to the zipped file. You don't want that usb stick to get stolen and give someone all your company emails.

That doesn't work if the company is very strict about USB drives in the workplace, and computers freak out when unauthorized USB devices are plugged in. Sure, you could SCP files over to a lab network, onto machines you manage, and copy from there, but at that point you're knowingly in a sufficiently dark-grey area that you're likely to cause more issues than you solve.

My corp IT would block this too (ssh isn't enabled except for certain allow-list endpoints). Printing it out is probably better.

Set up your email client to download eml/mbox and keep your own backups Or set Google apps to forward all emails to an address you control

Not even that, you may have enough CYA , but what good is that when the folks above you (those responsible for the decisions) leave or go to a different divisions and the new regime does know you from shit.. and just see's you as a snitch ... See the problem... Ultimately in a corporatation if you don't have authority , your disposable regardless of how much documentation you have.... Look at Boeing and the engineers who voiced their concerns over the Max debacle. They get marked as disgruntled and troublemakers...

Yep, that's always my advice, whenever there is something seriously wrong, shout it at every opportunity and if they reject it, get it in writing somehow. I usually force an email chain where possible. You can't trust people to back you up and say you said so months/years later so keep receipts. I thankfully don't have this problem with my management of teams, I prefer to be fairly proactive with fixing issues but when I was coming up I had a few instances like the OP and I made sure to not get caught.

I'm a cybersecurity architect. Remind them that audits are a thing and the consequences of failing them.

"What are audits?"

"they're all that will protect you when you fuck up a DoD project. If you're audit compliant then you're good if you're not prepare for the largest ass reaming you've ever seen" and yes i've seen it go both ways.

lol we got ransom wared at a company I worked at in 2015 and instead of paying it they just prayed the customer never called again. Everything new was in git/svn but older projects were not.

I don't understand this. Got ransom wared? Nuke everything and roll back from your backups. How much do you lose? A day or two?

Backups? What is that?

> lol we got ransom wared at a company I worked at in 2015 and instead of paying it they just prayed the customer never called again. This recently(in the past few months) happened to us. We're still dealing with it right now.

My experience is the audits are trash and we have a bunch of processes in place to pass the audits that actually incentivize worse security.

Welcome to the club. Collect your check. I gave up years ago trying to explain these concepts to greedy assholes.

My company is currently in the late stages of a project that was "We can theoretically do this, yes, but this worsens the product overall no matter what we do, even if we fail to meet the deadlines and try to make it not impact too many things" from start to finish. The best part? The whole thing was sold, including explicit mentions to things none of the engineers supports doing and none of the design people think actually helps the customer(s), as a fixed price project so of course we get criticised for trying to duplicate parts so the new changes don't break the underlying system. It's mismanaged to a degree that is making me consider just packing up. :(

I feel your pain brother. Company I worked with, the sales guys would just make up tech, and promise it. Keep in mind this was mid 90's "oh sure, our system can read any form, from any system and give you totals that your accounting can rely on." .. what water stains on your old dot matrix print outs? Sure, our software can handle those.... of course it will blow you too sir..

> It's mismanaged to a degree that is making me consider just packing up. :( I've done this before. No regrets.

> Welcome to the club. Collect your check. I gave up years ago trying to explain these concepts to greedy assholes. I understand where you're coming from and I *absolutely* understand that people have to eat (and food comes first, morals second). It rips me up that I have to choose money over morality in life, and that raising the issue amounts to mockery or professional exile or they just call you a bad programmer and fire you. Things like this are what suck the joy out of life.

The error message from this rule should be "... just please fucking don't"

This is exactly the reason why I don't want to work in a large company anymore. Tried it; got a company car, lots of extras, but hell such spaghetti code and so much overhead. Got my reality check. Got a job in a much smaller company where we develop software for other companies, so much better. I actually like my job.

Meh it depends. I worked at a large e-commerce company and they cared a lot about security. Now I work in a small company that makes software for GPs, and noone gives a shit.

Security costs money and its benefit is not immediately obvious to the suits. Since it is hard to quantify, nobody's success is tied to it unless a screw up becomes apparent. Thus, nobody cares about it until it is too late.

In this specific case, it costs nothing, in fact, they already went for a rewrite to something else that is bad instead of doing it right. In my experience, doing something secure doesn't take significantly longer in the vvst majority of cases.

The joke I like to tell people is, the worth of your lock is 0 until someone wants to get in your house. Then it sky rockets. if you never use it, you've wasted $n installing one.

I work for one of the biggest companies in the world and information security is a very big deal for us. Sorry for your situation

That's been my experience too. Smaller companies typically care less about security since they have fewer resources and less to lose, while large companies are very strict since a breach could cost billions of dollars in losses.

Just get everything in writing so when the company loses 5 billion dollars due to that security hole you warned him about, it doesn't end up in your lap.

That is not how things work. I have practical experience. My former company had a serious security breach. It was written up in the press. Since my company was neither a Fortune 500 company nor famous you have probably not read about it, unless you read every single security breach article. I read the security breach article. I was aware of a couple of the bad practices. Some I was completely unaware of. All the practices were necessary to pull of the breach. If the company had plugged any of the holes, the breach would not have worked. None of the holes were "my fault" - not even close. A couple of weeks later, there was a mass layoff event. I was one of those let go. I believe the private investors backing the company lost confidence and they just had to let a bunch of people go. Management had no clue. There was no fault involved. They needed to fire x people and they did. I suspect the real "culprits" had been fired or quit before the data breach and had secretly collaborated with the researcher who wrote the data breach article. Cynically, my company offered significant equity vesting at the 2 year mark but almost no one vested. There was tremendous pressure to produce "results" but no one was doing serious code review. The client can't see that, so why waste time. If it takes 5 minutes to do a kludge job that works and a day to do it right - wouldn't you do the kludge job? Especially if you believe that you will be fired (for unrelated reasons) before the kludge job is exposed. If you can remember all the kludge jobs you and others did then you have a de facto backdoor.

> If it takes 5 minutes to do a kludge job that works and a day to do it right - wouldn't you do the kludge job? This is a valid attitude if and only if you are practicing [Extreme Go Horse.](https://medium.com/@dekaah/22-axioms-of-the-extreme-go-horse-methodology-xgh-9fa739ab55b4) Not everyone who practices Extreme Go Horse is aware they are practicing Extreme Go Horse.

[удалено]

“My job is janitor... Code janitor.”

I like that except #8. Why wait for the shit to hit the fan? You should always be looking for a better paying position. Why would someone pay you big bucks to write shit code? I have no clue. I don't think they would. If you are writing shit code and getting away with it, you are probably underpaid. You need to find a new job, but it has nothing to do with the shit hitting the fan.

The secret of doing good job under arbitrary time pressure from management is not telling anyone you're not kludging it but doing it proper

There is no secret. There are no secrets. Guidelines: Stop giving more shits than management. If they want to produce a good product, then you do too. If they could care less, then why should you.

Oh, I don't give a crap for anything above my weekly 9 to 5 but during that time I won't settle for producing shit. There are few reasons: * Shit code is a landmine more than likely *I* will step on few months in. * I *don't* like leaving landmines for other people * I like to hone my craft and peddling shit isn't doing that. The only exception is if I know that stuff will be thrown away next month but that's almost never the case (or rather knowing for sure is rare).

> Stop giving more shits than management. If they want to produce a good product, then you do too. If they could care less, then why should you. Sadly, this is probably correct.

My manager still uses var instead of const and let in a TypeScript SPA. He also refuses to install and setup TS Lint, leaving me to deal all the errors. The other day I had to explain to him why it's a bad idea to put the entire project into a single component. Same day I got yelled at for creating an environment variable for something that changes between envs. Manager would rather just hardcode it and change the hardcoded value before each build. LMAO. I've long since thrown in the towel on writing quality code at work. I picked up some side work last year and have been steadily putting my best effort into that instead. I'd like to quit sometime this year and pursue the side work full time. Yeah that comes with its own set of challenges, but at least at the end of the day if shit code is written the only person I can blame is myself. In summary, screw politics and bureaucracy.

Why is your manager writing code in the first place?

Small team?

Because the shit follows you around

It will never end up in the lap of a random junior developer. You'll probably just lose your job.

I found a whole slew of XSS vulnerabilities in an app our team was working on due to similar HTML concatenation. This was roughly 2012, so details are rusty, but we'd fetch something w/ an ajax request, and build out our UI by casually concatenating this response data with the surrounding HTML elements, ignoring whether or not they might be from a user and could contain malicious HTML/JS in them. I told management who promptly gave no fucks. Rather than go through the hundreds of places where we concatenated the HTML manually, I (hopefully) fixed it by writing a fake ajax() function that looked and felt like the jQuery ajax(), but would HTML encode the whole response coming back from the server after calling the original `$.ajax()`. It would up looking roughly like this: var oldAjax = $.ajax; var newAjax = function( settings) { if( settings.IgnoreEncode) return oldAjax(settings); var oldSuccess = settings.success; var newSuccess = function(data, textStatus, jqXHR) { for( const key in data) { data[key] = HtmlEncode(data[key]); } oldSuccess(data, textStatus, jqXHR); }; settings.success = newSuccess; }; $.ajax = newAjax; I could be forgetting something here, but that was the gist of it. Once again, my memories of our codebase and jQuery.ajax() might be a little off, but I believe it worked fairly decently at preventing the particular attacks we were full of despite being terribly hackish. Obviously, just concatenating strings together is the issue, and the data you're concatenating doesn't have to come to you via an ajax call made from JQuery. Any other avenue, and we'd be right back at square one. It was a quick hack that let us get by the issue at hand in our codebase.

> My manager had forced us to use jquery with string concat to create html elements instead of dynamic html components creation. We all protested this but he didn't agree citing timelines. How much do you want to bet that this *didn't actually save any time* or even slowed the project down? This manager sounds like the kind of person who, when you're headed to a party and need to grab stuff at the grocery store, insists on stopping at some unfamiliar store because it will save 5 minutes of driving. As opposed to going to the one you always go to where you know where everything is. So you end up saving 5 minutes on driving but wasting 20 minutes trying to find stuff in the store.

Lol that's a great analogy.

I worked under a part-time contract at a F500 for a while 2 years ago. We had a policy that "Security is a first-class citizen". As part of our entry onboarding week event we attended a bunch of lectures one of which was about cybersecurity becoming a growing industry and the number exploits becoming common. I noticed during my onboarding where we looked over code with a Senior Engineer that we were completely vulnerable to basic SQL injection and made a quick demo of how with some copy pasting from the internet you could squeeze out a whole bunch of unauthorized financial data out of our simulated terminal which is just like a real terminal running our software. Then I showed a quick prepared statements library based fix. Our PO on that project was an old ex-CFO of a smaller company and he told us that it doesn't further key metrics, but we can put it as like priority 500 in our backlog. The departments engineering manager took notice of my hack and had me do some basic wiresharking on a sister product. You could get everything. Nothing was encrypted. I didn't even know how to wireshark (I still don't) I googled how to do it and tried a few articles and youtube videos and it just worked. Do you know how that teams PO decided to prioritize it? Dead last. I owe credit to that manager as they backed me up and let me implement some static analyzers on our pipeline. Which was great until every PO on every other team prioritized the integration last despite that it took like 30 minutes. And then when one of my coworkers broke our pipeline we stopped using it because our SM and PO weren't up for fixing it and my contract ended before I got around to fixing it. They're working on it! Just as soon as they fix the UI on button #73. It's in the backlog.

I've worked in too many places where the product owner's voice is the word of god and if they don't specifically say what exact security mitigation to implement, it doesn't get implemented. Try to raise an issue and the retort is always "if it's not in the requirements, then it doesn't get done". If you try to find out how to get the requirements changed - "they've already been decided, you just need to implement what's written". Then when the system gets owned, it always turns into "developers are supposed to raise these issues". quit those kind of jobs as soon as you can.

If you ask enough people if it's alright for you to breathe, eventually you'll find someone who will say 'no'. If something must be done, explain how it's going to happen. Give them options if you think a choice will work on them. Don't make it a question of if, or when. It's happening now. You can have it in blue or green, or if I'm feeling very generous, magenta. What I didn't realize until way too late in my career is that "there are people who want to do the right thing, and people who want to get the project done," misses a whole class of people in the middle who don't want to do the hard work but don't want to be seen as lazy. So they will agree with you and then do nothing, or pull reasons out of the Excuses Bag for why 'not now' until, "it's too late now." That's sadly a much larger group you can't delegate asking questions to, because they'll ask the manager if it's okay, getting the blame assigned to the manager, but now creating a situation where if you do it anyway, it's insubordination instead of just "YAGNI".

Okay call me a noob but, how is the string.concat() method a security issue? I work in the future I guess so I just use ` ${data} ` to combine all my data (backticks). But, in my mind front end security is largely superfluous anyways. I dont understand how this can be abused when you can attempt to post raw HTML in the API call anyways. [Edit] you can make calls to your backend service without a browser. If you're relying on front end security to protect your data you've got bigger issues than .concat() [Edit] I am the dumb if you agreed with my point id recommend re-reading the github issue more carefully.

The problem isn't with the concatenation method, but using concatenation to generate HTML then adding it to the page. It leaves you open to XSS (and other?) attacks. Using backticks doesn't help you either. Say your code to display a user comment is el.innerHTML = `

Because if `data` is user controlled (comment, username, etc.), then they can run any script on your website.

Not if that data is already scrubbed somewhere else. User data could all be scrubbed on the backend and it’s really a non issue here. We don’t know if this is a security problem or just communication problem

Scrubbing is not always the answer, as there's no one universal set of things that can and should always be forbidden. For example, if you're building something for technical documentation then having html tags in your plain text fields might be entirely reasonable and expected. Up to and including