Paper: https://xianghang.me/files/resi_paper.pdf Medium Article: https://medium.com/@xianghangmi/resident-evil-understanding-...

Did someone actually go and confirm your role based access control matrix is up to date and user accounts have the right access? Were all of those screenshots watermarked with timestamps?

There is work to do, whether or not auditors are doing it is another question.

In my mind getting a clean report required three kinds of work:

1. Work that actively improved our security posture. 2. Work that didn't change much, but made our security posture easier to understand. 3. Busy work.

I think for most companies all three kinds of work will be required, but you can also make decisions that will push the percentages around. SOC 2 required us to start doing an annual security table top exercise. You could sit down, run a scenario, run it as fast as you can, and come up with a few pre-determined "improvements" that would help if you actually had that problem in the future. Or you could sit down and really put work into it, and see what works well and what doesn't.

As an example in our last tabletop I "exfiltrated" some data from one of our servers, and challenged the team to figure out what I'd done. The easy way out would have been for someone to say "We'll look at the logs and figure it out", but instead I asked them to actually try and find it. We discovered that the sheer volume of logs for that system made them hard to work with. So we made some changes to make them easier to work with and repeated the exercise later.

It could have been busy work, but instead we got real value from it.

There's a fair amount of boiler plate language in these reports, and a bunch of re-stating the SOC 2 controls. I'd expect two reports (same auditors, same platforms) to be nearly identical. If they're both using AWS, Github, Stripe, Vetty, they're subbing a lot of the exact same thing out to the same companies, referencing the same set of internal controls.

Reading ours. There's a section titled $Company's Controls, followed by 20 pages listing the various SOC 2 controls. e.g.

---

CC9.0 Common Criteria Related to Risk Mitigation

CC9.1 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.

IR-01 A Security Incident Response Plan that outlines the process of identifying, prioritizing, communicating, assigning, and tracking confirmed incidents through to resolution is accessible to all relevant employees and contractors and is reviewed annually.

---

Then there's another 20 pages of those same controls being listed, some language about how they tested the controls, and hopefully "No Exceptions Noted".

That's not going to change much between companies.

I think there's a wide spread in how that's implemented. I would certainly not describe Grok as a tool that's prioritized safety at all.

If you want to ineffectivly filter out most candidates just auto-reject everything that doesn’t arrive on a timestamp ending in 1.

One of our competitors was claiming a server in a middle eastern country we could not find any hosting in. So I figured out what that server's hostname was to do a little digging. It was >1ms away from my server in Germany.

We're in 100+ countries, and I'll stand by that claim. It's a huge pain in the neck. In our early years we had a lot of problems with suppliers claiming to be in Mexico or South America who were actually just in Texas. I almost flew to Peru with a rackmount server in my luggage after weeks of problems, that plan died when we realized I'd need to figure out how to pay Peruvian income tax on the money I made in country before I could leave.

We've also had customers complaining that a given competitor had a country we'd had trouble sourcing in the Middle East. A little digging on our part and it's less than a ms away from our server in Germany.

There should absolutely be a better answer here.

If you're looking to trace to something far away when doing a demo we've got servers in ~280 cities around the world so .wonderproxy.com works. e.g. taipei.wonderproxy.com or santiago.wonderproxy.com, berlin, newyork, etc.

If you want to test your IP blocks, we have servers on both China and Russia, we can try to take a screenshot from there to see what we get (free, no signup) https://testlocal.ly/

I also think you disenfranchise too many people when you do that.

- People who work on oil rigs won't get to vote

- People who do shift work covering the hours the polls are open wont get to vote

- People who are of sound mind, but too unwell to travel to a polling location wont get to vote

- November is Red/blue king crab season in Alaska, guess those people don't get to vote

- Flight attendants & pilots might be away from home that day.

- People in the military might be on exercise that day, we're cutting them off (though I'll assume deployed service members will get to vote wherever they are)

- Long haul truckers are out of luck

- Anyone on vacation is missing their chance

- College students are always a wildcard, do they cast a ballot where they are (ID could be from a different state) or go home for the weekend?

I volunteer with scouts, kids aged 5-8. We ran a cardboard based activity with the makedo stuff. We tried to supplement with scissors, they were not effective.