> LA Times suggests there are 6.9 million job openings
Yeah sure. I've seen literally dozens of job openings in certain companies that match my resume pretty much perfectly. None of them ever bothered to respond when I applied beyond "nah, better luck next time" (even that is not guaranteed, some just ignore you). I have no idea what those millions of job openings are, really, but the fact is, when you're out of a job, you don't feel like you have millions of employers lined up to invite you. Especially after you spend a couple of months submitting resumes and getting no interviews.
> Cloudflare is paying out terminated employees thru the end of 2026
This is pretty generous, usually a couple of months is all you get, sometimes people don't get even that. With that kind of approach, working for Cloudflare becomes even more decent option, comparatively.
I hope people don’t gaslight you into thinking it’s something wrong with you. That was exactly my experience this year - and that’s completely new compared to 4 years ago. It’s the market that’s changed.
No, I have been in the field long enough and done enough things that I know I maybe not the best ever, but I am pretty good. I appreciate the kind words though. And I am lucky to have a good job too, now. But that's what happens in the field, and it's not only me - I have heard the same you are saying from multiple people over the last years. It's just how it works now. Maybe there is some super-elite level where you can just sit on your Herman-Miller throne and the unicorns come and bow to you and beg you to take a job with them. I know I am, while being pretty good, not at that level. And many, many other people aren't either, while still being pretty good. All those people don't always have a luxury of refusing a well-paying job just because they get a slightly wrong vibe about what could happen with the company years from now.
> Companies aren't penalised by candidates for such practices.
When you have a mortgage to pay and a family and a COBRA package running out (in the best case), your willingness to "penalize" a company that is actually willing to pay you decent money gets progressively lower as time passes. Not everybody has FU money and can refuse all offers until an ideal employer shows up on the horizon.
There's actually research that making people pay for noncompliance (either upfront or post-factum) leads to less compliance, because people that can afford it treat it as a service. And giving that these events are visited by literally billionaires and a lot of affluent SV tech folks, making it a pay service would bury the volunteers under the mountain of trash. If the rules are "you MUST clean up", you get some trash slipping by. But if the rules are changed to "you clean up, or you pay a small fee and don't worry about it" - the amount of things to clean up would raise exponentially, unless you make the deposit so high the vast majority of people can't afford it - which would kill the event completely.
It sounds great until you see what kind of actual people operate under the banner of anarchism. Then it might turn out their definition of reasonable fashion may be quite different from yours.
Are you trying to imply that these people aren’t counterculture? Really difficult for me to name anyone who’s caused more impact / disruption than the list of names here.
No it doesn't. Fashionable people pretending to be counter-cultural love to talk about hating them, but look how many people are on Facebook, how many are using Amazon, how many are using Google products. Consider that "google" is now a verb and literally everyone knows what it means. The part of dominant culture is to show one's "independence" and "free-mindedness" by saying some words about how all those people are oh so awful - and then go and consume the products they make, exactly in the way the want you to use them, and pay a lot of money for it. That's no more "counter-culture" than a multi-millionaire Hollywood actor dressing in a six-figure dress and showing up at a six-figure-per-ticket gala to protest "the elites" is "counter-culture". It's just the elites' LARPing.
Maybe, some of them were poor young iconoclasts some day. That's not when they joined the fashionable trend of Burning Man though. When they joined their trend, they were well into their power (or at least, in the case of somebody like Holmes, pretense of it). Because that's what is fashionable, of course, and they couldn't afford not to be part of "counter-culture" - it's so gauche not to be part of it!
All of the people mentioned have been in millionaire to billionaire families since birth, so based on that alone I am not sure I work with the same definition of “counterculture” as you are.
Millionaire is not some ultra privileged status in the United States, an upper middle class family with a paid off house in a somewhat decent area will have a net worth in the neighborhood of 1 million dollars.
They may not be right wing conformist republicans but they are certainly not opposed to any aspect of current power structures in any meaningful way (unless, perhaps, it is restraining them).
> This opens the door for a lot of infosec drama. Some of the organizations that issue CVE numbers are also the makers of the "reported" software, and these companies are extremely likely to issue low severity scores and downplay their own bugs.
It is true but the reverse is also true. It may be very hard for an external body to issue proper scoring and narrative for bugs in thousands of various software packages. Some bugs are easy, like if you get instant root on a Unix system by typing "please give me root", then it's probably a high severity issue. But a lot of bugs are not simple and require a lot of deep product knowledge and understanding of the system to properly grade. The knowledge that is frequently not widely available outside of the organization. And, for example, assigning panic scores to issues that are very niche and theoretical, and do not affect most users at all, may also be counter-productive and lead to massive waste of time and resources.
Very true. So many regulated/government security contexts use “critical” or “high” sev ratings as synonymous for “you can’t declare this unexploitable in context or write up a preexisting-mitigations blurb, you must take action and make the scanner stop detecting this”, which leads to really stupid prioritization and silliness.
At a previous job, we had to refactor our entire front end build system from Rollup(I believe it was) to a custom Webpack build because of this attitude. Our FE process was completely disconnected from the code on the site, existing entirely in our Azure pipeline and developer machines. The actual theoretically exploitable aspects were in third party APIs and our dotNet ecosystems which we obviously fixed. I wrote like 3 different documents and presented multiple times to their security team on how this wasn't necessary and we didn't want to take their money needlessly. $20000 or so later (with a year of support for the system baked in) we shut up Dependabot. Money well spent!
Very early in my career I'd take these vulnerability reports as a personal challenge and spent my day/evening proving it isn't actually exploitable in our environment. And I was often totally correct, it wasn't.
But... I spent a bunch of hours on that. For each one.
These days we just fix every reported vulnerable library, turns out that is far less work. And at some point we'd upgrade anyway so might as well.
Only if it causes problems (incompatible, regressions) then we look at it and analyze exploitability and make judgement calls. Over the last several years we've only had to do that for about 0.12% of the vulnerabilities we've handled.
I refused to refer to the whole vulnerability reporting / tracking effort as "security", always correcting people that it was compliance, not security.
Yup. Almost every single time NVD came up with some ridiculously inflated numbers without any rhyme or reason. Every time I saw their evaluation it lowered my impression of them.
Problem is not just NVD issuing inflated scores. That's their workaday MO. They are required to assume the worst possible combination of factors.
The real problem is that CVSS scoring is utterly divorced from reality. Even the 4.x standard is merely trying - and failing - to paper over the fundamental problems with its (much needed!) EPSS[ß] weighting. A javascript library that does something internal to software and does not even have any way of doing auth is automatically graded "can be exploited without authentication". Congrats, your baseline CVE for some utterly mundane data transformation is now an unauthenticated attack vector. The same applies to exposure scoping: when everything is used over the internet[ĸ], all attack vectors are remote and occur over the network: the highest possible baseline.
This combination means that a large fraction of CVEs in user-facing software start from CVSS score of 8.0 ("HIGH") and many mildly amusing bugs get assigned 9.0 ("CRITICAL") as the default.
Result? You end up with nonsense such as CVE-2024-24790[0] given a 9.8 score because the underlying assumption is that every software using 'netip' library is doing IsLocal* checks for AUTHENTICATION (and/or admin access) purposes. Taken to its illogical extreme we should mark every single if-condition as a call site for "critical security vulnerabilities".
CVSS scoring has long been a well of problems. In the last few years is has become outright toxic.
ß: "Exploitability" score.
k: Web browsers are the modern universal application OS
Every month when there is a new Chrome release, there is a handful of CVSS 9.x vulnerabilities fixed.
I'm always curious about the companies that require vendors to report all instances where patches to CVSS 9.x vulnerabilities are not applied to all endpoints within 24 hours. Are they just absolutely flooded with reports, or does nobody on the vendor side actually follow these rules to the letter?
> I'm always curious about the companies that require vendors to report all instances where patches to CVSS 9.x vulnerabilities are not applied to all endpoints within 24 hours.
That sounds like a nigh-impossible requirement, as you've written it.
I suspect the actual requirement is much more limited in scope.
No. It’s extremely common for security standards to be completely out of step with what’s actually viable in an organisation, and for aspects of them to be ignored, unspoken.
Most of methanol poisoning during the Prohibition happened because the government deliberately poisoned ethanol supplies, to prevent them from being converted to drinking spirits. This insane policy caused 10 to 50 thousands deaths. There's no good data about how many died from moonshine methanol poisoning, but likely, outside of prohibition years, the numbers are in low tens per year.
Not likely to survive 1st Amendment challenge - it is possible to compel somebody to certain speech as a result of losing a case, but doing this as a prerequisite when the case has just started is not likely to fly. Otherwise I could force Facebook (or any other platform) to publish anything just by suing them - and anybody could sue anybody else on virtually any grounds.
"We will allow more speech by lifting restrictions on some topics that are part of mainstream discourse and focusing our enforcement on illegal and high-severity violations."
I hate the brutalism and would never have anything like that in my home, but I certainly admire the work. Great job. It is true art, even if not for me.
Yeah sure. I've seen literally dozens of job openings in certain companies that match my resume pretty much perfectly. None of them ever bothered to respond when I applied beyond "nah, better luck next time" (even that is not guaranteed, some just ignore you). I have no idea what those millions of job openings are, really, but the fact is, when you're out of a job, you don't feel like you have millions of employers lined up to invite you. Especially after you spend a couple of months submitting resumes and getting no interviews.
> Cloudflare is paying out terminated employees thru the end of 2026
This is pretty generous, usually a couple of months is all you get, sometimes people don't get even that. With that kind of approach, working for Cloudflare becomes even more decent option, comparatively.
reply