Incomprehensible! “Didn’t quite get his leg over” - that’s the joke? Found a Guardian article and even they do not explain the joke [1]. Further ethnological research [2] explains it all - “to get a leg over” is intercourse.
The story about the test match broadcast is really nice. Just goes to show how deep cultures can be locally ingrained. One could learn perfect English and never get to the point of getting this joke, without serious integration efforts. In this case, worthwhile efforts.
I think you are right but would like to keep in consideration that penalty clauses are real and can be enforced in court. We have no (or perhaps: have some) clue how far the bargaining power is leaning toward the suppliers. Maybe the signatories in the SCA are so cornered, they will sign anything and think ‘boom or bust’.
Yeah, this is a part about itsec I don’t understand in my firm. They run social engineering tests, but never notify management when individuals fail, only in general terms. While being psyopped needs to be activelly discussed among coworkers imho.
That's because susceptibility to attacks is a question of training. What would the goal of placing individual blame be? Shame? Drive them to seek training outside work? Further, if you periodically single out people, the organization will hate you.
“Shame” is a big word. I wouldn’t shame a member of my team. Why would I!? They are great people. Same with “blame”. Everyone faults, everyone can be blamed something. That doesn’t change the basics of a person.
Giving people a chance to discuss, as adults and professionals, how they got sniped beats any second hand training and experience by miles.
Now we get to hear that x% of a sample failed including #y elevated privileges people. How will somewhat naive management handle that?
Sometimes I get a feeling many HN-ers work in ultra toxic environments. HR is not your friend, your manager is there to screw you over and the firm will fire you for pennies. That’s just not my experience in working.
Selective training makes sense. But, I heard a pentest professional provide this counter-argument: if you tell management which individuals failed the test, even if your intention is to provide those people with the training they lack, the management might, due to ignorance, shift blame for suboptimal security on those people, label them as lazy/incompetent/etc, and ultimately not put the necessary processes (testing, training) in place which are the true determinants of penetration rates. The idea is that you get inefficiency by selecting for training broadly, but you prevent extreme sabotage by ignorant management.
>Sometimes I get a feeling many HN-ers work in ultra toxic environments.
Many people in the world work in toxic environments, not just HNers. Especially when the jobs market is shit, people turn on each other like animals.
>HR is not your friend
Where did you work at that HR was your friends? Did they invite you for beers or visit you in hospital when you were sick?
HR everywhere protect the company from liability, that's it. They're your "friends" as long as you don't risk becoming a liability.
>your manager is there to screw you over and the firm will fire you for pennies.
Your manager maybe not, if you're lucky and cares about those below him more than his own corporate ascension, but managers levels above sure screw over the ones in the trenches when shit hits the fan, that's how they got to the top in the first place. The more unscrupulous one is the more likely they are to climb up.
You are right. Toxic workplaces are abundant. But non toxic I hope as well. I am always interested in how we can or cannot transfer local cultural differences and things we hold as basic truths via a forum.
The second question: yes, in a time of need my manager and HR-consultant did indeed help me find appropriate psychological care. (And we also visit coworkers in the hospital.) This was part humanity, but also part of what ‘we’ (a firm is a collection of people) constitute as being part of what it entails to be an employer. It feels like a reductio ad absurdum to think that this was purely transactional on their part. It was deeply human, or at least I choose to see it as such.
>The second question: yes, in a time of need my manager and HR-consultant did indeed help me find appropriate psychological care. (And we also visit coworkers in the hospital.)
This is unfathomably rare. I hope you realize this just how lucky you are.
> But non toxic I hope as well.
This never happen to me and I live, on paper, in the most livable country in the world. All bosses only care about my performance, not my healthcare. The moment I got too many sick days, I got dismissed and sent off on welfare.
>This was part humanity,
But most employment relationships are exclusively transnational. You're only virtue is usefulness to the boss's bottom line, not your "humanity", as that can't be monetized, unless maybe you work in government, healthcare or NGOs.
Regarding shaming: A new strategy I've noticed recently is that my organization randomly deploys emails from time to time that are basically "fake" hacking/phishing attempts. Sometimes it's a PDF link, or a request for an invioce, need a phone call, etc.
If you fall for it (clicking the link) then you get sent to a webpage saying "Hey this was a test and you fell for it... think twice before you fall for this again. Please watch this short security video". Then you get followup emails until you finally get around to watching the video.
Something tells me if you are a frequent offender they have you do additional training.
As annoying as the emails are, I appreciate that this avoids the shaming aspect. Its important to keep the normies on guard against this kind of stuff. And this gets the job done without drawing attention to human level failures. And it keeps everyone a little more on their toes.
Shame works for me. If I was ever the one that got sniped and my colleagues saw it I'd forever be paranoid about it. Like when my dad sat me down and told me that I couldn't keep losing hats all the time when I was a kid and that I wasn't a baby anymore and it was expensive, and that shame made me look behind me when I leave somewhere until today and stop losing stuff.
Specially for security, yes, shame the personal in a small setting, shame them in a positive way, as in lets all learn from this, but shame is very powerful. Much more powerful than saying "someone in this team failed this" and everyone thinks it was the other guy.
I think people saw that old culture and thought "man, that's horrible. We must never do that".
And the assessment was right, but also wrong.
Previously, shame (and other pressure) was just applied without first empathically inspecting why the node was acting in the way it did, thinking that just enough force will surely solve the problem.
It kinda did, but with lots of collateral.
Essentially, the security consultants (and everyone else involved) were just being lazy and not doing their job correctly.
But now we have this overcorrection, because people are still lazy and do not want to do their job correctly, which leads to the systems failing in a different way.
___
The solution would be to understand the individual node and apply the correct corrective measure. This can be shame, but it might also not be. And the level of it is also highly dependent on the situation.
This is a hard problem to solve, but it needs to be solved for good results.
The problem here being that scaling that up is hard, but everything needed to hyperscale. With either the individual nodes or the system integrity picking up the slack.
> I think people saw that old culture and thought "man, that's horrible. We must never do that". And the assessment was right, but also wrong. Previously, shame (and other pressure) was just applied without first empathically inspecting why the node was acting in the way it did, thinking that just enough force will surely solve the problem. It kinda did, but with lots of collateral. […] But now we have this overcorrection, because people are still lazy and do not want to do their job correctly, which leads to the systems failing in a different way.
Very well said, and I think your exact description applies to management in general: management is hard, and require hard work to be done correctly, tailoring you response to every person, because two people being bad are their job aren't always bad for the same reason.
But most managers are not suited to the job, because it's mostly a status symbol and not something you give to the most qualified person, and most are too lazy to even try learning about it, so they don't make the effort of adapting to every individual, and in the end they end up either tyrannical or complacent.
Some folks like to work that way, but I don't think most do. This obsession for outward correct behavior, even if it works at the end (at least externally), doesn't sound like a recipe for happy inner life but maybe I am reading too much into that.
(Won’t fully repeat my other post.) Shame is such a big word. ‘Give people the chance to _teach_’ would be my reply. Which you probably would see as even more vicious, but it’s 100% sincere.
As a junior I made the front page of national news. I answered a question with a very big number on a Friday afternoon. Hit headlines on Saturday. Our prime minister had to defend my mistake in public. (He never admitted any mistake. With just enough spin nothing sticks.)
The head of the organization literally cursed and spat at me. In that same meeting from the no. 2 down they stood up for me. It’s still a great story about how to treat mistakes 20+ yrs on. Admit mistakes. What did __we__ (not: he) do wrong? (Hint: from medior to board everyone had an afternoon off and we had never discussed stakeholder management. I was in no position to say no to a ministerial request.)
Maybe you just were never carefully told about something you did wrong in a way that everyone feels like they learned from it. The top reply to my comment put it better than I could, I think there was an overcorrection. I believe in fixing the process first, but there are situations where shame is the right solution. The current en-vogue thing of pretending all is good but penciling in that person for the next layoffs is I think worse than a bit of shame if that fixes the problem and avoids more drastic actions later on. Silicon Valley is very PC but then lays off without remorse so its funny to see this combo of "we care about never hurting your feelings all the way to the point where we fire you without a care in the world".
Shame is a subjective feeling. There's no "right" and "wrong". Shaming is the action being criticized. No one is arguing everyone should just shut up when a big mistake is made.
Shame isn't wrong, shaming is. Your dad telling the truth isn't shaming. You just felt shame because you're a decent person that is embarrassed you were causing problems for other people.
Does for me, too. But not for 30 people around me. They just shut down and isolate. It’s a matter of how self-reflective one is. And who knows who’s going to exploit this to get their way.
I am surprised how controversial this is. I feel like I'm in that episode of Always Sunny in Philadeplhia where they decide to do an intervention by cornering and berating, while a mental health professional looks on terrified.
Yeah, it's some bullshit 90s-era basement-dwelling "techie" attitude that even Linus Torvalds said he doesn't want to do anymore almost 10 years ago by now.
As someone who has been training and mentoring and managing people for over 25 years: shame is useless as a tool. There's no "you gotta have thick skin" in people management. That attitude is just covering for the deficiencies of the manager. Most people's natural reaction to shame is to shut down and either slink away or become vindictive. You don't get the right corrective behavior out of using shame.
One's employment of shame as a corrective technique also has a wide blast area. When one singles out and criticizes people in public, the people who aren't being criticized still see it and form new, negative opinions of the criticizer. You undermine your own authority as The Boss when you do that.
Truly being "results focused" means studying actual management theory, negotiation techniques, coaching techniques, and conflict management. Praise in public, criticize in private. Always. And when you do have to criticize, keep the emotion out of it and stick to just the facts.
I have two employees I've had to put on PIPs right now. One of them is actually improving. The other one is a habitual liar, for whatever reason HR won't let me fire him outright, but even him I won't break my rules for, regardless of how angry he has made me, because the rest of my team will see it. During the meeting where I informed them I would be formalizing the process, they were not surprised and agreed that it made sense, because I had done the work before then to establish expectations and work with them to try to improve. There's are also people in the past whom I have fired who have messaged me on LinkedIn, thanking me for being kind to them during the process, because it was what they needed to turn their lives around.
You can tell people they aren't meeting expectations. You can put people on official notice. You can fire people. And you can do all of those things in ways that preserve their dignity. And in that mode, you can get mediocre employees to be good, good employees to be great, and great employees to stay. Or you can treat people like shit and constantly have to go back to the recruiting well. I'm sorry, but I'm far too busy to be constantly interviewing and onboarding new people.
Because 99.99% of the industry is not about improving the end state. It's about covering ass. Same as accounting, safety, environmental, and every other compliance industry.
Do you hold that same opinion for the training and testing of pilots and surgeons? Do you want to step on a plane with a pilot who is only there because we are too nice to assign individual blame for his inability to do the job properly? Do you want to be going into open heart surgery in a system that dismisses the idea of individual blame when analyzing the outcomes associated with each surgeon? Having no idea if the man cutting into you, has previously had great outcomes or poor outcomes?
Scenario 1: 20% of staff tested failed. Individual targeting is pointless because the issue is systemic. This has happened in aviation, it’s common for accident investigators to conclude that the entire company culture (or even the entire industry) has failed to handle a problem. They don’t waste time in cases like this pointing at individuals.
Scenario 2: you test very regularly and nobody fails the tests. Except Bob, he fails the tests. In this scenario, your threat analysis document will recommend retraining, firing, or restricting Bob specifically.
Scenario 2 almost never happens because nobody has data that good. If your sampling frequency or ability to conduct tests are limited, no specific sample is enough to cover the entire problem. If you focus on a punishing (or just re-educating) the 20% who failed then your next test will fail for (potentially) 20% of the 80% who weren’t retrained, and thus didn’t learn anything.
TLDR: you need to choose the approach based on the situation, but we collectively tend to treat security poorly enough that we’re almost never in the fortunate situation where scenario 2 fits.
Yes in general, because usually it's culture and not an individual failing.
No in specific situations, because it's not just culture but also some people are just the weakest link.
Only focusing on either of these while ignoring the other is going to lead to bad results.
He bought a house with < 1% of his net worth, which he made himself. Then proceeds to give away 100x that. Aristotle would call that modest and of a balancend demeanor. An absence of excess indeed. I would be living in a cardboard box with these figures. I can get some irritation with the worlds billionaire class. But I do think modesty is somewhat based on circumstance.
This is a UI/UX problem, no? While the current suppliers are mostly locked in the ‘chat for everything’ mode. Guess what, we didn’t go to the moon in chat mode, we don’t drive cars via chat and cyborgs don’t play chess that way. Domain specific interfaces are the way to go (opinion).
Edit with an example: Read some interesting science news yesterday regarding man made risk of high water (Nature). Mailed the author, found the article (popular news doesn’t do attribution) and data and code was open source. Claude Fable had it running very fast and explained the things I forgot from high school. Started on localization and adding some methods from my background (econometrics, extreme value theory). All nice in the /hobby/ way. I can overlap fields in hours now. A brilliant feeling (but probably not brilliant).
What I cannot do is assess the value and novelty of the created work on my own. So I still need to have a set of geologists and econometricians / actuaries work through ‘my work’. That’s what we need tools for! We need UI/UX in this case for novel fields interacting with quality controls made easy. I currently wouldn’t dare ask the author for her time based on my slop. And I cannot critically assess what I’ve made. I only learned today that Greenlands ice attracts water, that Manila and other cities are sinking due to exhaustion of their aquafiers and that the North Sea is surge heavy and unique that way.
Am I reading you right that breaking power (that you want to regenerate in the system) >> speeding power? Obvious now I come to think of it, and still pretty nifty new thing learned if true!
In that analogy bigtech AI is currently investing in cleaner air for all of us? We _could_ breath it through their hose, but might as well breath it outside.
I found them worth reading for the following set of thoughts came up:
- programmers had problems with delivering quality long before LLM’s
- very much research and tools went into that, bringing us {Git, libraries, VSCode, reviews, …,} but the human factor stayed the same (and more pronounced imho than in other fields of engineering)
- LLMs democratized programming, enhancing a few, dropping the bottom to no skill programming
- the tools and practices created for the quality problems from the past turn out to be wholly incapable of maintaining quality in the present
The main problem behind this is that those delivering the QA tools of the past are central in the AI race. Old school engineering would separate these concerns.
Besides laziness being a tradition among programmers (in a good way), that kind of complex activity is going to generate tax in a lot of jurisdictions.
If you care to explain why, I’m interested. I imagine a situation where large Sum X is in ETF but gets adapted by a few little shorts. It’s still mainly the ETF in the portfolio. (Exactly this is why in my firm some ETFs are deemed too precise, since they are thought to follow the insider knowledge as well.)
The story about the test match broadcast is really nice. Just goes to show how deep cultures can be locally ingrained. One could learn perfect English and never get to the point of getting this joke, without serious integration efforts. In this case, worthwhile efforts.
[1] https://www.theguardian.com/uk/2005/aug/20/sport.andrewculf
[2] https://dictionary.cambridge.org/dictionary/english/get-leg-...
reply