
I'm not burned out, I'm pissed off - eitland
https://www.myname.website/im-not-burned-out-im-pissed-off
======
finnthehuman
I'm a recovering security guy.

When I listen to security people rant, I can see their points and it's a bit
of fun, I like a good rant. But I get the impression that they're continuously
discovering new and exciting ways that individual facets of individual pieces
of software (and the processes around them) suck. All without ever accepting
that the entirety of the software ecosystem sucks (and that they're rarely
moving the needle on that front).

All software and the internet combined is a giant ball of mud that just grows
and grows as more people add onto it. There's no architecture more than the
strict minimum to keep the whole thing from falling apart the moment someone
breaths too heavily near it. And that's not even including when commercial
interests keep trying to design their chunks of the mudball in unique ways
that make themselves more money at the cost of everyone else's chunk getting
more complex.

Like everyone else adding mud, security wants to get in, hit their
requirements, and get out. I just don't like the chip on their shoulder that
nobody else is doing enough to fix the system throughout in a way that helps
them achieve their goals with the least fuss.

~~~
platz
Not really security, but regarding software in general, Mud is one of the
reasons I gravitated torwards pure FP languages. It doesn't solve everything,
but the added guarantees help shift some of the cognitive burden away from
having to dig into every method to have to see what's going on, and I can
spend that mental budget elsewhere.

~~~
FpUser
This reminds me that "but think of the children" mantra. From my observation
programmers often tend to justify / promote their languages/tools/etc under
pretense of solving security problems.

~~~
platz
"Not really security"

------
dogman144
1) Increasingly, if you want to be in infosec, you have to learn how to code
on the level of a SWE. This is how to not lose your mind when constantly
addressing sec issues that others (devs) are entirely responsible for fixing.

2) Department of No doesn't have to be a thing, it just takes some emotional
intelligence and pragmatism. 'Always saying no' is as much the fault of the
sec eng as it is the system. If you have the will power and general positive
mindset, it's more than easy to go through a sec career without getting angry.
It just requires not default No, and ....

3) Understand people want to do a good job. If you tell them they're doing a
shitty job, they'll tell you to fuck off. If you (sarcasm font) admire what
they're doing, and have some stuff that can get added to build an even better
product, people are _surprisingly_ amenable to working with you. It seems like
70% of sec folks think their job is to say No, and as a result never get
there.

4) This was a huge lesson for me that made me understand the field: to be
successful in sec, you __must __learn that your personal risk tolerance will
not always equal the enterprise 's risk tolerance. Making money, in a digital
field, is an inherently risk-on undertaking. It's crucial to know what to not
escalate beyond your team, what to not cause a fuss about, what is just a
known risk that will continue to exist, and then have clear requirements for
what risk you will escalate and shake cages about.

It seems like all of these sec rants boil down to seeing the system and being
unwilling to work within it, vs. seeing the system, accepting it, and figuring
out how best to navigate it, and what tools and personal skill sets I'll
really have to maximize to succeed in it.

~~~
Thriptic
I agree with everything you said. To expand on point 3, when you are pitching
a security change, know your audience. Most people hear security change and
they think another inconvenient pain in the ass that I'm going to have to deal
with. That changes if you can show them benefits to people or to the business
that are not security related. For example, traditional approach:

Boss: You are advocating spending a lot of money on a configuration management
solution, why?

Sec: Well it can help prevent heterogeneity in our environment which can lead
to different versions of software being run, some of which may be old and
buggy and therefore exploitable.

Dev team: So now we need to do change management meetings and institute even
more controls? No, this will slow us down!

Ops: Sigh, another fad system we will have to support, learn, and test.

Boss: This seems like a lot of money and inconvenience for a theoretical
problem, no.

Better approach:

Boss: You are advocating spending a lot of money on a configuration management
solution, why?

Sec: Because it's a win for the business. Our Dev teams can avoid dependency
hell and be confident that code they develop on their machines is going to
work in production because our production environment will mirror the
development environment. This will let them ship faster and spend more time
doing real work. Ops will be able to scale much faster and spend less time
dealing with configuration issues. Imagine being able to develop a config and
spin up 50 servers with it at the same time while you sit back and sip a soda!
No more fixing damaged boxes, just replace them! No more fighting with the dev
teams! Oh yeah, we also get a security benefit for free while making our lives
easier as we won't have to deal with heterogeneous software running on our
boxes which presents a security vuln. The ROI for the business will be large.

Everyone: wow sounds great, let's do it!

------
wayoutthere
I 100% agree as a consultant working in product development. I think what
drives this is a lack of ability for anyone to understand the end-to-end
product from a technical standpoint and make coordinated decisions about
direction. Instead, you have 30 teams with their own architects and roadmaps
(which often overlap functionality) so you build the same thing 5 times across
the org, then 3 of them end up drawing meaningful adoption so you have to
figure out how to support that on an ongoing basis.

All of this leads to non-technical sales people becoming the de-facto source
of product feedback. Which leads to non-technical middle managers making
product decisions with a short-term mindset. It's impossible to do a good job
under conditions like this, so folks just check out and clock their 40 per
week.

I think this is the cause of a lot of burnout. People get emotionally invested
in their work, but the way tech is structured, quality doesn't matter as much
as velocity. Individuals don't fully understand how much impact their work
has, so it can seem like toiling away in obscurity for years on end. That
doesn't feel good to anyone, but when the company is making 35% margins it's
really easy for them to ignore the cash bonfire.

~~~
kbr2000
I experienced this several times as an employee. It becomes hard to stand when
you realize that every positive contribution just results in more money being
shoveled out of the window behind your back (mainly because of greed,
inefficiency, keeping the status quo, and wreckless behaviour caused by trust
in your capabilities to somehow fix it again, every time over again) -- as
opposed to contributing to a more efficient way of working for everyone.

Been doing extreme over-hours in the hope of fixing stuff once and for ever,
only to realize your job becomes more and more like shit-shoveling, since
management starts to feel invincible (and protected by your contributions),
which leads them to make even more errors without accountability. I've seen
some of them with tears in their eyes when I finally quit. 'nuff said.
Profiteurs!

~~~
penetrarthur
> Been doing extreme over-hours in the hope of fixing stuff once and for ever,
> only to realize your job becomes more and more like shit-shoveling, since
> management starts to feel invincible (and protected by your contributions)

Isn't that when you start earning a lot of money?

~~~
tanseydavid
> Isn't that when you start earning a lot of money?

This is very dangerous thinking. Figure out why this true if it is not already
obvious.

* Not sustainable * Not healthy * Not scalable

No sarcasm here. Try to avoid this thinking-trap.

~~~
kbr2000
Correct. Also, they won't give you that money if they know your motivation is
the will to fix things. The money flows instead to the ones who have receiving
more money as their motivation.

------
zer00eyz
"A new car built by my company leaves somewhere traveling at 60 mph. The rear
differential locks up. The car crashes and burns with everyone trapped inside.
Now, should we initiate a recall? Take the number of vehicles in the field, A,
multiply by the probable rate of failure, B, multiply by the average out-of-
court settlement, C. A times B times C equals X. If X is less than the cost of
a recall, we don't do one."

No one in management wants the expense or the overhead of actual security.
They want the "theater" of security, the good feeling, the box to check on
their resume (as management) so everyone can pretend everything is fine and go
back to the business at hand. Then something real happens, a leak of user
data, or credit cards or internal memos... suddenly everyones job is security
and no one knows what to do. The last problem gets solved, there is more
"theater" and a few quickly forgotten changes that get worked around or just
ignored in the long run.

Furthermore your average engineer wouldn't eat a ham sandwich handed to them
on the street by a stranger but will happily run code from 100's of other
people on their servers with out even looking at it. Note: I too am guilty as
charged. Sure you can vendor it, and miss out on future security patches (it
was already broken). Or you could just pull it from whatever repo you got it
from to begin with and pick up new flaws. Never mind the fact that pulling
from random places assumes that all those other chains of trust remain un-
compromised.

Management and Engineers should be the ones most concerend and most thoughtful
regarding security and both seem to ignore it for cost and convenience reasons
till it is (far too late and) a REAL problem.

~~~
LeonM
For those who didn't get the reference:

The OP is quoting Tyler Durden, a fictional character of the movie 'fight
club'. So take it with a grain of salt.

~~~
wrayjustin
Or, take it for what it is, a _quote_ from a _movie_.

But don't dismiss the merits of the idea. It's essential Risk Management[0],
which is most certainly a relevant part of Information Security. Specifically,
this is a form of Cost-Benefit Analysis (specifically, Qunatativie Risk
Analysis[1]), a critical component in proper Risk Management; the reality is
you cannot "fix" every issue.

Take a look at methods like Single Loss Expectancy[2] and Annualized Loss
Expectancy[3]; you'll find that the _Fight Club_ quote is very close to the
real-world methodology. I cannot speak for the Automobile Insurance industry,
but given Insurance is founded in Risk Management, it seems likely to be
closer to reality than not.

[0]
[https://en.wikipedia.org/wiki/Risk_management](https://en.wikipedia.org/wiki/Risk_management)

[1] [https://csrc.nist.gov/csrc/media/publications/conference-
pap...](https://csrc.nist.gov/csrc/media/publications/conference-
paper/1999/10/21/proceedings-of-the-22nd-nissc-1999/documents/papers/p28.pdf)

[2] [https://en.wikipedia.org/wiki/Single-
loss_expectancy](https://en.wikipedia.org/wiki/Single-loss_expectancy)

[3]
[https://en.wikipedia.org/wiki/Annualized_loss_expectancy](https://en.wikipedia.org/wiki/Annualized_loss_expectancy)

------
Simon321
If you work in security, this resonates so much. No one really cares about
security except to check a box or pay lip service to it. That's why so called
security products ship without logging and clients don't want to make the
smallest effort to enable you to improve their security. It's why companies
that sell security products invest more in marketing than the product. The
industry is full of conmen and marketeers. Information security can be great
though if you find someone that really cares.

~~~
raducu
I work as a contractor for a bank.

A few months ago everybody was up in arms about a "major" security issue
discovered by an auditor (you could see the settings of random users by
changing an id in a url). I've just shown them you can credit money to your
account, yet this is low priority and they provided a fix that I'm 100%
percent sure didn't fix anything, unfortunately the functionality is down on
all but the production environment. I'm tempted to just credit myself 1
monetary unit in production and just show them the statement.

~~~
trymas
> I'm tempted to just credit myself 1 monetary unit in production and just
> show them the statement.

I would be tempted too, though I could bet that this will be a termination of
an employment, instead of the problem being fixed.

I would like to be proven wrong on this speculation..

~~~
raducu
Yes, that's what I thought as well.I'll just have to suck it up until the test
environments are up again and provide a proof of concept exploit.

I'm just impatient because it's a really clever and somewhat complex hack that
challenges some multi-threading and transactionability assumptions some people
mande and I can't really talk about it(which I'd love to share with my peers).

~~~
unnouinceput
Raducule, did you did CYA (cover your ass)? E-mail(s) to higher ups
responsible in case of a fuck-up that most likely will happen in the future?
Do it now if you didn't, or "wave and smile" if you did. Let them burn if you
are ignored, no longer your problem.

------
isodude
I asked my SO recently how she view the Internet, what it is and how it works.
She was honest and told me that, "If I click this button, this websites loads.
If that works I'm fine! If it doesn't I will call you. Don't stop working with
IT please, if you get it, we need you badly!"

I believe that is a good reason to be accepting towards the current state of
affairs. People just don't care. They have more important issues to deal with,
deadlines to meet, problems to face.

If you are frustrated and pissed off, great. That means you get it, and that's
great!

Now, meditate -- the journey to a perfect secure world will take some time,
like beyond your current life span. It's not until you accept that reality
that you will make real change globally. Because it takes time, a lot of time.

Thanks for your effort so far.

~~~
Iv
Thing is, it took me a long time to accept that people not caring was ok.

Now I realize that my dad is frustrated I never learned something as simple as
changing the oil on my car.

My mom does not understand how I can't name more than two flowers and can't
bake a pie.

My legal-minded friends are astounded I do not take a day to work on my legal
status to pay less taxes. Hell, my wife does the paperwork I am not even sure
of the tax rate we are paying.

And yet, I see myself as pretty curious, jack of all trade. I understand many
things about CS, mechanics, electronics, manufacturing, politics, economics,
ecology... We live in a complex world and we rely on each other to make it
work.

Love each other, we really depend on each other, it is easier if we don't
consider others stupid for choosing different areas of skills.

~~~
tempguy9999
I can't accept that not caring is ok. The small "I don't care" extends into "I
don't care about anything outside my immediate environment" and that has
political and eventually global consequences.

If their bank account is drained they will care, and get angry, and then maybe
do something (but preferably the bank will recompense them in which case they
feel better and go back to not caring).

Some stuff you just can't do; as you say the world's too large, but many
people don't want to put in the effort to learn stuff that would benefit them
immediately, never mind over the longer term.

I really do not understand people.

~~~
bonoboTP
> I really do not understand people.

Well, then learning more about people's psychology and motivations seems like
a thing you could benefit from immediately :)

~~~
tempguy9999
I realise people don't care. I don't understand how they can so freely ignore
that this has consequences and not always even long term ones.

Given that I do recognise people won't change, would it help if I did learn to
understand their builtin magic curtain / SEP field[0]?

I ask with no hope any more, what do you advise?

[0]
[https://en.wikipedia.org/wiki/SEP_field](https://en.wikipedia.org/wiki/SEP_field)

~~~
isodude
It's like a runner that runs laps, if they can keep going they will. Sometimes
they need support but then they only do a pit stop. Getting information or
acquire a skill with that state of mind makes you only learn what seems
essential to you.

Being acceptant of that has the upside that you don't need to know the
background of a given individual (some people have a rough life, others just
don't think they will get it e.g. think they are not smart enough, others are
just working 400% and have kids), to accept the fact that they will just use
tech and maybe don't care about the inner workings. But is that really a bad
thing? Because that's exactly how they are built know adays, ease of use.

I have people around me that I want to explain basic things in life to, but..
even if they actually listen their previous argument float to the surface the
next day. People need to change themselves.

In the other end of the park there's a big playground. That's where I sit and
design the biggest sand castle I've ever built. I don't care that much about
running around, I switch playground when I have too.

Each mindset have their pros and cons. I solve stuff that takes a bit of
effort. My SO keeps our life/house running.

So respect and acceptance about others choices is a great way to let go of
anger that nobody is interested in the things you are interested in. Finding
someone with the same mindset in real life is rare, even on HN. How cool is
that?

------
contingencies
The problem with the security mindset is that security goals are relative to
other business goals within almost every organization. A breach can be OK. A
rebuild can be OK. Some downtime can be OK. It depends on the system. To put
it eloquently: _I don 't trust security people to do sane things._ \- Linus
Torvalds (2017) ... via
[https://github.com/globalcitizen/taoup](https://github.com/globalcitizen/taoup)

~~~
Koshkin
Indeed, if you are a security engineer, everything looks like a threat to you.
Therefore, a developer's workstation must be protected just as strongly as a
critical database server - at the gross expense, of course, of the developer's
productivity.

~~~
arethuza
I once worked somewhere as a contractor where developers had 3 separate PCs
with a KVM switch - with there being separate development, test and production
infrastructure.

Ironically they had a serious production incident that almost took the entire
(large) company out for a day because they were doing load testing in one
environment (they had about 10 separate environments) but they had shared
email infrastructure between production and the production-1 environment. The
application being tested generated zillions of emails using "real" email
addresses that clogged up their production environment.

~~~
flir
My worst: Developer machines were dumb (but secure) terminals for remote
desktop connections to a jump box, where a VNC connection got us to a Linux
desktop living on AWS GovCloud where actual development took place.

It was a remarkably risk-averse client.

------
EnderMB
I don't explicitly work in security, but I've had a handful of arguments in
the past where I've discovered a serious vulnerability, and been told either
by my managers or by a client that it is low-priority.

Sometimes, the vulnerability was then exploited, and what shocked me was that
people were okay with this. I won't name names, but one marketing department I
worked with was happier to suffer a customer data leak over having to spend
budget during the end of the year to fix the issue. I later learned that the
IT department got in trouble for allowing the error to happen, when the system
was entirely managed by us and our sole point of contact was with someone in
marketing that left their position because they didn't get on with IT.

If there's one thing I learned, it's that the ultimate currency in business is
risk, and that the software/IT industry lacks the power to really do anything
when a company is found to be negligent. For many, the risk of "being caught"
is worth not spending money on preventative issues, and ultimately there's
absolutely nothing we can do about it outside of covering our asses when the
finger is pointed our way.

You only need to look at the Panera Bread security breach to see that all the
badmouthing on Twitter did nothing to stop the company from painting its own
narrative. Hell, the WordPress theme/plugin company Pipdig was caught ddosing
its rivals with their software, and all they had to do was lay low on social
media for a month and lie in a blog post. The worst part was that their non-
techie customers were all too happy to back them up, meaning that the
WordPress security community had zero clout to really do anything.

I have the utmost respect for anyone that works in security, because you're
fighting a battle that no one wants to win, and is often a battle where it
feels your partners are silently rooting for the other side.

~~~
coldcode
I worked at a healthcare company in the US (we provided HIPAA data connections
between insurance and providers) and discovered all the production passwords
were storied in a text file in the code repo half the company had access to.
The CTO told me "we trust our employees". There was also no auditing on who
access the DB and servers, and they never changed the passwords because the
chief architect did not want to remember anything.

~~~
SamuelAdams
I worked at a retailer (not Target) that did something similar. Once Target
got breached in 2014, they mandated security training and began making changes
to some things in the org. This was one - instead of storing those passwords
in plain-text, they were encrypted. So people encrypted them, commited them
into the repositories, and deployed the now encrypted files to production.
Cool, right?

They didn't actually change the passwords, since that would break too many
things at once. So you could just look at the git history to get the plain
text password. Or debug the application locally.

Security theater all day. Sigh.

~~~
EnderMB
There's something both comforting and absolutely terrifying that everyone has
similar stories of software negligence.

I would love to see a whistle-blower company formed, where you could report
software engineering malpractice, and be compensated and/or protected from
being punished. Not necessarily a union, but an industry body that could
verify your security concerns and either "out" a company for punishing you, or
provide you x months of work and a reference to compensate the termination of
your employment.

------
vfc1
The bad news is that this will happen everywhere where you work for someone
else, especially in large companies.

And this cannot be avoided while working as an employee, it's part of the
system.

The good news is that there is one way to avoid this (the only way AFIK) is to
start your own company, there you get to call all the shots for good or for
bad.

It doesn't have to be a big company though, it can be just you and a laptop
for starters.

Other than that, as an emotional coping mechanism and to preserve their mental
sanity, people will simply become disengaged and cynical.

Take longer breaks and try to have a laugh with your colleagues to blow some
pressure and make friends.

Also, because things work badly in those environments, there is a lot of blame
deflection going on, which is one of the main causes of stress and burnout.

Again, part of the system, not much that you can do about it other than
learning to deflect responsibilities to others.

Getting rid of the hot potato is a very important skill in these corporate
settings.

Usually on a team, it's always the same people getting the short end of the
stick. Try not to be one of them if you can, but often that's easier said than
done.

Also, try to get promoted, you will get more responsibility and might even be
able to fix some of these things, that's another positive attitude towards
chaos that helps a lot of people cope with it.

~~~
0xffff2
I couldn't disagree more. I work for the government (in R&D) of all places
(about as close as possible to the opposite of working for myself IMO) and I
don't feel this at all. I have near-total control over my work environment. If
I need something, all I have to do is articulate why I need it and I will get
it or get a precise technical explanation of why I can't have it.

~~~
vfc1
That's a very special setting, most enterprises aren't like that. For example,
for material, you get a crap old PC where you can hardly run your IDE, where
you can't install anything.

These days it's doable to at least get a second monitor. But for things such
as an SSD drive? At least a couple of years ago it was nearly impossible.

The reason why burnout is frequent, is because in general in most places work
conditions are bad and stressful. In my view the problem is the system and not
the people.

Your professional setting seems like a good example of how it doesn't have to
be like that.

------
javajosh
This is the down-side of artificial scarcity for software. The upside is that
sweet sweet green. If you could remain cynical a few years longer, scrimp and
save like 10 years of a comfy mid 6 figure salary, you'd stop caring about the
BS, and you'd might even learn to love it (or even contribute to it!) After
all, nothing quite feels as good as being a well-paid expert in a complicated
field, especially when it grows more complicated over time.

It's offensive, and it's not how it should be, it's a "defect/defect" Nash
equilibrium when we should be going for "cooperate/cooperate". So kudos to you
for fighting the good fight - you deserve to win.

~~~
ailideex
> artificial scarcity for software

Can you elaborate on this? Why would you say there is artificial scarcity for
software?

~~~
javajosh
Software costs ~0 to copy and distribute absolutely perfect copies, world-
wide. To drive the price up you create artificial scarcity, mostly rooted in
IP law.

Important note for HN readers: 'driving the price up' is a net benefit for
programmers. Artificial scarcity is why you get paid big bucks.

Interestingly, _data_ is legitimately scarce. But that's a discussion for
another time...

~~~
rumanator
Copy and distribution costs are just a part of the cost. Development and
maintenance does require real flesh and blood people spending their days
working on developing, building, and deployment. That part costs money.

~~~
javajosh
You tacitly assume that I am not aware that software products have an R&D
cost, and you are (insultingly) wrong. Of course they do. And without
artificial scarcity that R&D cost _will not_ be recouped. The default state of
software is an open source model, where the "developing, building, and
deployment" doesn't cost money because there isn't any.

~~~
saberdancer
Copy and distribution costs for movies in a digital age are non existant. Are
movies using artificial scarcity?

~~~
BlueTemplar
That movies are almost impossible to buy DRM-free should give you a hint ?

------
eric_b
We're creating more complexity every day. Kubernetes, microservices,
microfrontends, "big data" lakes, etc etc. Now instead of securing a physical
server, or even a VM, you have to somehow secure thousands of interconnected
endpoints in PaaS products in a cloud you can't even debug appropriately. Is
it a surprise our software is worse than ever these days?

We've added complexity but we haven't increased our capabilities. What
software can we make today that we couldn't 10 years ago? I'll even stipulate
there could be a few examples, but 99% of the stuff we build today could have
been built faster, cheaper and secured easier 10 years ago.

------
bayesian_horse
Basically everyone wants security, but nobody wants to pay for it.

Maybe the market equilibrium means people don't get hurt enough yet.

~~~
dredmorbius
Everybody wanna be a bodybuilder. But ain't nobody wanna lift no heavy-ass
weight.

[https://www.invidio.us/watch?v=4UlgXIL0-3g](https://www.invidio.us/watch?v=4UlgXIL0-3g)

~~~
Wheaties466
good ole ronnie coleman.

------
etaioinshrdlu
I think this person should seek happiness in ways that don't involve
technology.

~~~
travbrack
They’re expecting greatness from everyone around them. That would drive me
crazy as well. My mental health is too important to be idealistic anymore.

~~~
NetOpWibby
When I was in my early 20s I couldn’t understand why people were so jaded
about anything. A decade later and, I understand.

People don’t give a damn and it’s mind-boggling. All you can do is shake your
head and continue with your day.

------
commandersaki
It seems a lot of people here find information security to be of utmost
importance.

I would like you to consider a contrarian position. What if someone said
cybersecurity (as in information security) is not very important?
[http://www.dtc.umn.edu/~odlyzko/doc/cyberinsecurity.pdf](http://www.dtc.umn.edu/~odlyzko/doc/cyberinsecurity.pdf)

~~~
dcx
I disagree. The contours of our world are shaped by the quality of our
cybersecurity, to the point that it's the water we swim in and we just don't
see it any more.

Some examples: The last US election was won in large part through highly-
targeted influence campaigns run based on stolen data. Not to mention the
triggering of Brexit. The influence of the NSA / Russia / Five Eyes / etc on
geopolitics hinges on poor cybersecurity. I think it would be silly to assume
all of the recent leaks we see come from "inside the building".

The entire economics and solution space of what is possible on the internet is
shaped by our cybersecurity standards. What would the internet look like if
payments and spam were easy instead of hard, or if DDOS was hard instead of
easy? I might hazard a guess that this is one factor of many that drives the
centralisation of tech into monopolies.

A positive externality: The general failure of the tech industry to develop
good content protection has enabled widespread software and media piracy. I
might suspect this has allowed second and third world countries to uplift
faster than otherwise possible (sci-hub anyone?) while also removing a tool of
empire from the first world.

------
didibus
Why would you need an InfoSec if security was a solved problem?

By the way, I totally understand where they're coming from, but I've realized
that as an engineer in enterprise, your job is to fix things that are falling
apart. The more senior and talented you become, the more broken the things
they want you to fix become. That's literally your job!

They're not going to pay you to admire the beauty of something without issue
that meets all requirements.

------
parliament32
>I'm mad that I sat on a call representing my company's (not cloud native)
cloud offering listening to Cisco tell us that the only way to get logs from
god damned IRONPORT in the cloud was to use syslog! OVER THE INTERNET. FOR
SECURITY LOGS.

Why is this an issue? This is how syslog works on literally every device ever,
you set a destination and it streams it over UDP with optional
authentication/encryption. If you want to do something hokey like consume logs
over an api (what?) set up a syslog gateway and configure log retrieval how
you like. You can't be mad at a vendor for not supporting your crazy log
consumption scheme -- logs are push (generated), not a pull or sub or whatever
you're trying to do.

A normal setup would be to have a logging cluster (elasticsearch or similar).
Feed logs into it via syslog or logstash or beats or whatever other bajillion
plugins there are, then get logs out via the ES api (or even better, do your
analysis straight in ES).

The author just sounds mad he has to do actual work instead of attaching one
product to another and collecting a paycheque for it.

~~~
freehunter
Syslog is a plain text protocol. Sending that over the internet kinda defeats
the purpose of security logging. The problem isn’t with syslog (although like
the post says, syslog is still a problem for security). The problem is syslog
over the internet.

------
gorgoiler
Thanks for the essay. I’ve often seen, and myself felt the frustration of the
productivity mismatch of having to work with other teams, vendors, and third
party products that drag their heels, are rigid, or inflexible.

When your day-to-day involves writing code — putting together hundreds of
moving parts in a code editor and shipping levels of complexity orders of
magnitude greater than any previous era of the Industrial Age — it can be a
real drag to get slowed down by things that _aren’t_ code.

We have to work as teams of course, and it’s enriching when you’re all on the
same page. People scoff at mission and statements and company values, but once
you start working with an external vendor you realize the importance of the
literal meaning of _company_. When you’re forced to work with something
inflexible it’s ok to hack around it. It’s our bread and butter to do so.

But having to hack around things will build a sense of resentment especially
when it happens over and over again, and in particular if you ever find
yourself doing that to an internal product it can be a serious enough red flag
to require some major org changes.

------
Cougher
This guy needs to understand his place in the workings of everyone around him,
just like his product's place in the workings of the products around it. If
you provide a product with a function that is transparent to the user unless
it breaks, then they're going to place their priorities where the needs are
most obvious and rewarding. The people who use his products have jobs with
focuses are something other than his security product. Their priority will
always be on what they have to do to earn their money. A corollary to earning
money is saving money. As far as the product never arriving at its ideal
function goes, the products that his security products serve will always
evolve, so his product will always have to change with them. You can only let
these things get to you so much. Source: I was responsible for the surgical
equipment for a hospital. You want to see reality avoidance and cost-priorites
get ugly?

------
makach
This post resonates very well with me. I am in the exact same position,
possibly more frustrated because of our naïve attitude towards building
security.

------
alecco
Ah, syslog. Around 18 years ago I was part of an group developing the next
syslog protocol with security in mind. My company (one of the top infosec
firms at the time) had a product doing this already.

The standards group was a mess. Some other company without any credible
security credentials was just forcing their bad implementation (TCP (!) and
yet another protocol layer). They were backed by Microsoft and some other
corporation. Cisco member just idling there. I ended up leaving as it was a
waste of time. Never even bothered checking what happened with those
protocols. But I've never heard of them again.

(tinfoil hat on) I think the Microsoft guys sabotaged it on purpose and
succeeded.

~~~
parliament32
Don't know about what group you're talking about but it ended up well: no need
for a new protocol, just wrap in TLS with mutual cert authentication. TLS/TCP
is fast enough nowadays that the overhead doesn't matter, and it saves you
from having yet another standard.

~~~
alecco
But they did create a protocol with even more layers.

Also our solution did not need two way communication (as per TCP) but had
encryption. This is key in a lot of infrastructure when you change
environments (e.g. DMZ to some internal subnet). TCP and SSL were supported,
too. Our software was used by one of the larges Unix installations and one of
the largest telcos in the world. While theirs, not so much.

------
Wheaties466
I also work for a security product vendor and this 100% reflects exactly how I
feel. My god you'd think I wrote this.

I'm still very upset that my employers product doesn't have particular
features but what i've come to realize is that we don't have feature X because
the competitor doesn't have feature X.

If someone was to buck the trend and just try and be the best vendor possible
because its what users deserve that would completely disrupt the industry.

I completely understand this thinking but im tired of hearing that the dev
team is developing feature Y that only 1 customer will use simply because they
are a fortune 500 customer.

------
zelon88
I feel like a large part of the responsibility lies with the people
implementing these networks to be able to document, compatramentalize, and
organize these various systems in the least convoluted manner.

The biggest problems I see achieving that are all the different ways of
accomplishing the same goals. For example, many endpoints in a network will
have 3 or 4 DRM agents on them for licensing certain products. What do they
connect to? What are they sending? What infrastructure variables need to be in
place to support those connections? How do I configure or troubleshoot this
service/ connections?

Most of these agents are critically ineffectual and simply add bloat. I've
done pentests in my own environment and broken, cracked, or bypassed three. My
point is, the company who hired you can't change their entire operation
because of your requirements. That's why we go to work. Especially at small or
medium size businesses with limited resources.

"Stop using the ERP system with 12gb of data that you've had 30 people using
for the past 15 years! We found a bug and the vendor won't fix it!"

You can see how that's not viable. So you find a way to mitigate the bug
yourself.

"You need to get rid of XXX in engineering. They keep falling for phishing
emails."

No. You need to find some resources or setup training to combat phishing.
Create rules or modify this person's environment to reduce surface area and
increase visibility on that endpoint.

And sometimes you can't solve it! But you can usually pick off some low
hanging fruit and iterate to a more secure state than you started at.

~~~
naravara
> You need to find some resources or setup training to combat phishing.

Honesty it’s so bad I think we’re best off just figuring out ways to do away
with email as a primary communication mechanism altogether. When my company
was smaller we had more technically savvy people, but as we’ve grown the
average level of competence has sunk just to meet staffing needs and it’s
impossible to keep up with training and expect people to actually really
listen.

So if I had my druthers it would be a blanket ban on email for all internal
communication. Formal taskings get done through a PM tool, general requests
for information done through Slack, and documents managed and shared by the
GDrive.

Email restricted only to communication with outside partners. All links and
URLs are blocked. All attachments are stripped and send an email telling them
to send it via an upload portal that pings the person on Slack that they have
a [filename] waiting for them.

Part of the problem is how much we’ve habituated people’s email habits to
behave badly. We tell people over and over again not to blindly click URLs,
and then by default Microsoft Teams is here emailing people every time they
get mentioned in a chat with a big “view in Teams” button to click through.
Users get mixed messages all the time so can we blame them for not knowing
what to do?

And the worst part is that the worst actors in this request are senior
executives. The higher up the chain the less regard they have for following
established processes.

------
NetOpWibby
A buddy of mine works in security and I can see him writing this post, haha.

Or did he?

Anyhoo, I cannot imagine working in a technology field and not being allowed
to do your damn job. Sounds frustrating af, I’d quit too.

------
pif
You are not pissed off, you are burned out.

When all the people around you are fine and you can't cope with the
environment, it's time to look for professional help, for your sake.

~~~
thdrdt
I don't think he/she is burned out. When you are burned out you can't do
anything anymore. Then you are way over 'being pissed off'.

But! being pissed off at work is a very good way to get burned out. Most
people who are burned out are having conflicts with their moral and what they
do or how they live.

So good for the author to make this clear to his boss and is taking action.
Because in the end being mad will turn into being burned out.

------
mikorym
Don't you think that most of your clients being breached is immaterial in the
greater scheme of things?

You seem to be bothered by the "overall picture". I am also prone to this
sentiment (not in infosec though) but I am actually consoled by the sort of
nihilist nature of things. Maybe even optimistic for being so. I think the
stuff that keeps us happy are minutiae.

If you are super keen about APIs then maybe building really sensible APIs
along the way will bring you the relief of having something stimulating to
work on. At the moment I get a lot of satisfaction from tooling vim to be my
super-IDE and everytime I use vim now I get a kind of wry happiness from not
having to use all kinds of apps and what-not. I think APIs can be super
interesting and useful. For example, I wanted to pull the Bitcoin purchasing
history from a site and the answer was... you have to use Golang.

I also get a sort of satisfaction from using Perl in this way. (I use Python
too.) It's just that all kinds of wonderful gems were once written in Perl by
people that were clearly bored with their lives (exiftool comes to mind).

------
aidenn0
15 years ago, a classmate of mine went into security and had a similar state
soon after. He decided that the entire industry was either snake-oil, or
installing a 3rd deadbolt on the front door to a house with open windows.

He quit the security field, became a DBA, and moved to be close to his family
in the midwest, collecting a an annual paycheck roughly equal to the cost of a
4BR house there.

------
hexxiiiz
While a lot of what the author notes about the issues with security are
reasonable complaints, it sounds like the real problem is that the author is
burned out because of how all of these underlying issues are dumped onto him
as his problems. The real problem is not all of these real world issues that
end up effecting him, it is that his work relationships and responsibilities
turn these technical issues into personal ones. His response is not to really
level with his boss and negotiate a better work circumstance, but instead to
vent about how it is the fault of the technical integrity of the entire
industry that he has to deal with his boss, his clients, and his workloads.
The real problem with the industry is that too few people in it manage
interpersonal expectations and boundaries. Instead, it's all too common to
hear people in this space to transform interpersonal issues into obnoxious
technical gripes, and that only enables the interpersonal dimension to erode
further.

~~~
TeMPOraL
I don't know... The opposite of doing what the author does would be what?
Arrange his work so that it's not all his problems? Adopt the mindset of "code
to spec, collect paycheck"? To me, the author comes across as caring. They
_care_ about the actual value of the work they're doing, beyond their salary.
We desperately need more people like that in this industry, because a lot of
problems essentially boil down to it being full of people who don't care in
the slightest.

------
user132
I also work for a cybersecurity vendor and what I am witnessing at work looks
a little similar to other comments here.

Every feature and improvement goes through the same cycle:

\- Sales come with user stories/feedback

\- Boss distort the needs and comes up with a solution that's good for nobody

\- The engineering team tries to reason the boss into meeting the actual needs
and fails 9 times out of 10 because he knows better

\- The feature is carefully designed to be as secure, user friendly and
efficient as possible

\- Boss ruins the UX and security by inventing ridiculous constraints,
sometime saying that we can improve on it later

\- Insecure and user hostile feature get released in the next software version

Of course boss and sales advertise the product as the next generation of cyber
security product, better than anything already out there. I've not been
working here for a long time but I know I will get tired of this stuff very
quickly.

------
youdontknowtho
The main thing here is that a company that can't directly tie security to
revenue will NEVER value it the way that security people think it should be
valued.

I can't count the number of times that some wanker used the words "I will sign
off on the risk" when they didn't understand the risk that they were putting
off on departments that they had no authority over. What they were really
saying was, "I can tell you what to do".

The truth of the thing is that business doesn't care about something being
right if it can save a single penny by doing it wrong...the only way that
changes is if the cost of doing it wrong becomes dramatically higher than the
the savings gained from cutting corners. The operative word there is
"dramatically". See the fines that companies pay to regulators when caught
breaking the law as evidence.

------
kodablah
> I'm pissed off at the state of information security [...] I'm pissed off
> that our tooling is falling behind. I'm pissed off that my clients don't
> seem to take it seriously

Information security, like physical security, isn't something people want to
have to care about or put effort in, and if they don't want to, they often
won't. What you should be pissed about is that clients have to care and it
isn't applied transparently. When being insecure is more difficult than being
secure, then you'll find the mindset shift. In the meantime, you should be
pissed off at those that make security difficult, not those that care less to
endure those difficulties. I know some of the post addresses vendors, but the
rest concerning your-company software and vendors is misplaced anger.

------
sundbry
Does anyone care to explain what the big issue with syslog is? I've been using
syslog-ng in production for years and it's performance has been flawless. Is
there something I'm missing re: security? Is the issue the weakly-structured
log formats?

------
tabtab
Humans suck. They are mostly social creatures who follow social instincts to
gain social credit. Logic and efficiency play a back seat to those goals. If
you pretend or hope they'll become like Vulcans, you will be repeatedly
disappointed.

------
ncmncm
As well he should be. So should we all.

------
pietrod
The lesson is so simple and it's all over the place: in the late term economic
cycle, economical interest doesnt align with the ones of the individual.

Economy have to growth, create artificial scarcity, complexity, jobs, etc, and
after a while this gets so easy to spot that starts to annoy, normally from
this phase you end up in a global war in fact, so at least wont last! XD

------
luxuryballs
Sometimes the best way to solve a problem is to stop participating in it. Why
do the security breaches matter so much in the first place?

If the risk is so high and the security so bad, stop using the technology for
things that demand more than provided protection.

Otherwise it makes it sound as if we are being sold snake oil. (Hint it’s a
stepped approach that starts with being disconnected to the internet.)

~~~
ehnto
I wonder if the idea of storing large amounts of sensitive data for use in
internet connected systems is even something we should be doing. With how
complex system are now, it's almost inevitable something or someone will cause
a breach, knowingly or not.

It probably doesn't work in many countries due to "Know Your Customer" style
laws, but in my systems I throw away all but absolutely required data as I
just don't want the liability. Sometimes that means I just keep a username and
password hash.

------
nathanvanfleet
I think it's kind of funny how burn out was previously described and how it
really is. I think that if I had challenging interesting work, and my work
reviews also matched my efforts, I could come into work every day and work
really hard. But if either of those things are out of balance, it gets really
hard to keep motivated and wake up in the morning.

------
Jemm
I think this is similar to the experience of almost any competent person when
dealing with corporate lunacy.

------
skittleson
I can relate to the author. Worked for now acquired payment gateway that was
for PCI compliance level 1 (over 6 million transactions a year). Getting upset
over outdated practices by either the company or the security company testing
our software was regular.

------
m0zg
No bud, you are burned out. You give too much shit about what is ultimately
someone else's business and company. If you don't stop doing that, you will be
burned out no matter where you go and what you do.

------
jamisteven
Security companies exist simply to mark a check box on most industry's "Cover
my ass" list. If you are pissed off maybe move out of this and into a sector
that actually cares about security.

------
lonelappde
This is what burnout means. It's learning that it's impossible to succeed at
your task, sapping your motivation to work on it.

------
pinkfoot
The fundamental problem is IT is engineered at a price-point two to three
orders of magnitude lower than what the complexity demands.

------
StillBored
Well, the entire purpose of the infosec industry is to cover for the sh*t
practices in the software development industry (and no it ain't engineering
what most of these people practice).

So you have to expect that if your vendor is CADT your security is going to be
full of holes and undiscovered bugs, critical missing features/etc. Move fast
and break things also means shed-loads of bugs, many of which could be
exploited by an enterprising individual for gain.

------
gabrielblack
what if I tell you that a software banks (B-A-N-K-S) are using to transfer
money has hardwired passwords inside, has to run as administrator and has some
problems of command injection, etc, etc ... etc ? Sadly company think to
security as a cost and to maximize the profit let people should never approach
a keyboard to write programs, unsecure programs, because they cost less.
Because also testing is expensive, same story. Did a big airplane manufacturer
does the same ? The customers ? Who takes decision often doesn't care: they
prefer to spend more money to purchase a scapegoat, a "silver bullet"
appliance so that they can say "Hey, we had all the contromeasure, but hackers
know black magic !". I don't want to burn-out. I prefer to give the correct
information to the peoples want to listen and then I hope in a future in a
better company.

~~~
nvrspyx
I assume English isn't your first language, so this is my attempt to correct.
Please don't take this as a criticism, but rather as (hopefully) helpful
feedback. Even with English as my native language, I'm sure there's some
grammar mistake I've made as well.

____

What if I told you that the software banks are using to transfer money has
passwords hardwired inside, has to be run as administrator, has some command
injection problems, etc.? Sadly companies think of security as a cost and to
maximize their profit, they let people who should never even approach a
keyboard write insecure programs because they cost less. Because testing is
also expensive, it's the same story. Did a big airplane manufacturer do the
same? Their customers? Who makes the decision often doesn't care. They prefer
to spend more money to purchase a scapegoat, or a "silver bullet" appliance,
so that they can say, "Hey, we had all of the countermeasures, but hackers
know black magic!". I don't want to burn out. I prefer to give the correct
information to the people that want to listen and then hope for a better
company in the future.

____

~~~
gabrielblack
Thank you ! Yes it isn't my first language and I wrote the post going at work,
on a bus. So no time to review it.

------
kakapumar
I like that at least you have a plan to do next lol

------
itsjustsomeguy
Sounds incredibly like LogRhythm to me :)

------
sabujp
beyondcorp : hardware keys and certificates for access to everything
essentially

------
x7k
Thanks OP for this

------
known
Join a night college and acquire new skills;

------
imvetri
What you gonna do about it?

~~~
Fordec
You mean the last three paragraphs titled "So what am I going to do about
it?"?

------
chahex
You are not pissed off of your work. You are pissed off of yourself. You are
not complaining because the work is wrong, you are complaining because you are
angry within, and you believe it is not your fault. You are not taking
responsibility of your emotions as you are supposed to and as taught by all
the masters of wisdoms. Go back home and rethink who you are. The world is not
changing for you unless you change yourself. You are losses off because you
are seeing an imperfect self everywhere .

~~~
slimed
This type of drum circle commentary is so unhelpful.

Raising the bar for security in the software industry requires much more than
just self reflection and elbow grease from individual engineers.

The solution requires buy in from all stakeholders. Especially management.

~~~
chahex
We are not talking about the same problem. Yo are not seeing the fact that it
is only you who are responsible for what’s happening inside you . And you are
taking the wrong path fixing that by fixing everything else but you.

~~~
Cougher
"Yo are not seeing the fact that it is only you who are responsible for what’s
happening inside you ."

This kind of pop-psych babble is naive and abusive.

~~~
chahex
Blame the whole world, why don’t ya

~~~
Cougher
That's clearly the only other option.

