At a basic level I appreciate this sentiment. However, the common dysfunction I see in large corporation is its not the lack of people who give a shit. Its lacking a sufficient number of people in positions of power that give a shit -- such that they can actually make change happen.

All too often competing pressures (features, profit, delivery speed, politics) take precedence; not leaving time for things that would really move the needle. In essence, too many leaders are happy to ship garbage; they don't care (or don't know).

If Github were to put out a statement saying "service quality is our priority", it is fairly meaningless. If they added "here's how we'll get there", maybe it helps some. Moreso -- "from now on executive compensation is tied to these SLOs", then maybe something would actually happen.

1) Check the businesses’ MX record. Often this points to a third party provider like Microsoft or Google. 2) Connect to the mail server identified in the MX record. Sometimes these have banners that identify the vendor (vs something generic like sendmail) 3) Email headers from messages sent to users in the company (or sometimes a bounce). Often these have headers from one or more providers. You’ll have to sort out the path to understand which bits were added by the sender/recipient path though.

These days often companies have multiple providers (security) so they might have one at the edge (mx) and more internal hops. You can usually see these in the headers.

I found this archive that has some of the shows recorded, and set playlists (I'm giving two links as the site is using frames so the top level page requires you navigate the menus to get to these):

  - Recordings: https://www.transbyte.org/SID/KDVS.html
  - Playlists: https://www.transbyte.org/SID/6581.html

  - https://www.mmnt.net/db/0/0/arnold.c64.org/pub/sidmusic/lala/ra
  - https://archive.org/download/arnold.c64.org  (download the whole thing and dig into pub/sidmusic/lala/ra)

Its possible the authors are still around and have more copies; doubtful KDVS has archives, maybe tapes buried in the library.

Anyway, hope this helps! Its a cool piece of history and brings back a few memories.

Webdriver BiDi is a future cross browser replacement:

https://www.w3.org/TR/webdriver-bidi/

Cloudflare is already heavily abused by threat actors to host, and gate their malicious content. This means our crawler has to handle anti-bot and CAPTCHAs. It’s a pain. Cloudflare is no help.

They have a “verified bot” program but it’s a joke for security. You must register a unique, identifiable user agent, and come from a set of self declared IPs. Cloudflare users can check a box to filter these bots out. And now you're easily fingerprintable so the bad guys can just filter you even without Cloudflare’s help.

So now we have a choice. Operate above board and miss security threats. Or operate outside the rules (as opaquely defined by Cloudflare), and do right by our customers.

All of this on CFs side is to solve a real problem. Unfortunately by not working with the industry in a productive manner, Cloudflare is just creating new problems for everyone else.

Search spam is not new, but the use of LLMs simplifies the ability to make pages that look like legit content (increasing the likelihood they’ll show up in search results).

Not so good for security work.

It’s similar to their abuse reporting. They give your info to the site owner. Gee thanks, that’s just what I want to do.

Threat actors use Cloudflare and other services to gate their payloads. That’s a problem for our customers who are trying to find/detect things like brand impersonation and credential phish. Cloudflare has been completely unhelpful. They just don’t care.

One random sample:

https://lemire.me/blog/2022/01/21/swar-explained-parsing-eig...

* Routsias JG , Mavrouli M , Tsoplou P , Dioikitopoulou K , Tsakris A . Diagnostic performance of rapid antigen tests (RATs) for SARS-CoV-2 and their efficacy in monitoring the infectiousness of COVID-19 patients. Sci Rep. 2021;11(1):22863. doi:10.1038/s41598-021-02197-z

* Currie DW , Shah MM , Salvatore PP , et al; CDC COVID-19 Response Epidemiology Field Studies Team. Relationship of SARS-CoV-2 antigen and reverse transcription PCR positivity for viral cultures. Emerg Infect Dis. 2022;28(3):717-720. doi:10.3201/eid2803.211747

* Korenkov M , Poopalasingam N , Madler M , et al. Evaluation of a rapid antigen test to detect SARS-CoV-2 infection and identify potentially infectious individuals. J Clin Microbiol. 2021;59(9):e0089621. doi:10.1128/JCM.00896-21

* Killingley B , Mann A , Kalinova M , et al. Safety, tolerability and viral kinetics during SARS-CoV-2 human challenge in young adults. Nat Med. 2022;28:1031-1041. doi:10.1038/s41591-022-01780-9

[1] COVID-19 Symptoms and Duration of Rapid Antigen Test Positivity at a Community Testing and Surveillance Site During Pre-Delta, Delta, and Omicron BA.1 Periods. https://jamanetwork.com/journals/jamanetworkopen/fullarticle...

Another nice entry point is micropython. Some of the getting started stuff has gaps but overall nice and simple if you’re more comfortable in Python. Major libraries have ports so it mostly is an easy dive in.

The crawls came from Azure and AWS. Forged UAs, repeat hits in the same URL, etc.

All of this is an exercise balancing information asymmetry and cost asymmetry. We don’t want to add more friction than necessary to end users, but somehow must impose enough cost to abusers in order to keep abuse levels low.

Unfortunately for us, it generally costs far less for attackers to bypass systems than defenders to sustain a block.

As defenders we work to exploit things in our favor - signals and scale. Signals drive our systems be it ML, heuristics, signatures (or more likely a combination). Scale lets us spot larger patterns in space or time. At a cost. 99%+ effective systems are great, but at scale 99% is still not good enough. Errors in either direction will slip by in the noise; especially targeted attacks.

As a secondary step, some systems can provide recourse for errors. Examples might include temporary or shadow bans, rate limiting, error reporting, etc. Unfortunately, cost asymmetry comes into play again. It is far more costly to effectively remediate a mistake than it is to report one. We’re back to cost asymmetry.

All of this is suboptimal. If we had a better solution, it would be in place. Building and maintaining these systems is expensive and won’t go away unless something better comes along.

tl;dr version: assholes ruin it for everyone.

My intent was pointing out that engineers with high level access to their dev machines is pretty common in tech. Not that other controls like policy enforcement are also often absent in tech (esp in larger companies). Hard to know how common that is -- seems unusual at least in big tech.

Engineers having full control over their dev machines up to and including preventing system updates is not ideal; but not out of the norm for tech. Poor data access controls, and out of date server fleets (where I'd expect updates to be pretty automated) are far more worrying to me.