Author here. I posted this on Sunday for a light read, but I guess it got traction today.
Based on the comments I see here, I think the focus is going on the turnstiles just as it did when I worked there. While the cookie credentials are pushed aside. I think that's the security theater. We are worried about supposed active shooters, different physical threats while a backdoor to the company is left wide open. The turnstiles are not useless, they give an active record of who is in the building, and stop unauthorized people. But they also give so much comfort that we neglect the other types of threats.
> Based on the comments I see here, I think the focus is going on the turnstiles just as it did when I worked there.
You titled the piece after the turnstiles and spent the overwhelming majority of the post talking about them (and surrounding physical features). The Jira ticket felt secondary, and when it was introduced in the middle of the post I was genuinely confused, thinking why the heck the card system was contacting Jira.
People reading your writing are going to focus on whatever you did when you wrote it. The turnstiles read like the important part.
The part about Jira is important because it highlights that while the company claims to take security seriously, they in fact do not take it seriously.
The incompetence of the turnstiles makes it a good focus for the story while the juxtaposition of the turnstiles with Jira exposes the company's hypocrisy.
What's the threat model for cookie theft? That if someone gets access to your company hard drive, but not enough access to install a keylogger, then instead of invalidating a session you also have to invalidate the password too?
It's an issue but I wouldn't call it a particularly big issue. I don't think it's very damning for how much the company cares about security.
And it sounds like the turnstiles did work for actual security? Sure, they gave up on per-floor security, but that's a lot less important.
Edit: And if employees are reusing passwords then we should be getting them password managers (or SSO) as the top priority, much more than we worry about logins in cookies inside the building. I mean, there's a point where a single purpose password and a login token become the same thing.
A threat model is you can steal the creds of any high clearance officer in the organization. If they reuse the password on the network, you now have unfettered access.
SSO is much more common these days, but that it wasn't the case back then.
A third party script that's embedded into the task management website? Otherwise I don't see how it's going to get to the cookie. And if it is embedded into the website, it can force a fresh login and steal the cookie that way.
And you can set HttpOnly to stop javascript from being able to access the cookie... but that still won't stop the attack of making them log in again.
1. Initial access to physical machine, most likely via phishing malware, reckless employees downloading untrusted content, or bad luck.
2. Malware looks for browser cookies, hoping to steal temporary credentials but instead gains persistent creds, which grant Jira access. People re-use passwords; malware tries this password against AdUser and any other systems or other corp user accounts it can find
3. Direct Jira access used to pivot, that custom Jira app is probed for app vulns (likely given design).
So with a better system the malware has to wait an extra couple hours to get the password (by dropping the non-password authentication cookie and making the user log in again), and it can still prod Jira in the meantime. That doesn't strike me as a very big difference. It's an improvement in security but not a big one.
I care a lot more about my life (or my car's catalytic converter, which was stolen off my car in my work parking lot before they inatalled a gate for the lot) than any of my work-related IT credentials. Health and safety threats are a much bigger deal to people than nebulous, difficult to exploit threats to IP.
Except the turnstiles and swipe cards do almost nothing against an active shooter situation.
But missing in this discussion is a risk and consequence analysis. If the risk is armed attackers, do something that targets that. For physical theft, target that. Likewise IT risks. The core problem is that risks were not being identified (systematically or in response to expert feedback) and prioritised.
Incidentally, the solution to car park access is ALPRs, and the solution to most of the physical security is solid core doors at the workgroup level with EACS swipe and surveillance cameras there, and at the front desk have face level 4k video surveillance. With an on duty guard to resolve issues with access.
Perhaps part of the problem is that an active shooter is easy to visualize and understand whereas unsecured credentials stored in cookies are an abstract and difficult to visualize problem for management.
Furthermore, turnstiles are easy to promote and take credit for. Secure web authentication would have to be explained to and understood by the boss's boss before credit for it could be claimed.
I suspect it's these aspects of organizational reality that results in security theater.
I think it has less to do with ease of visualization and more to do with priority of consequences.
Do a poll of whether people would prefer that a mass shooting or a mass data breach occur at their place of work while they are there. I bet I know which one wins.
I don't think you could take over the company with a jira token. Another factor for consideration with turnstiles is disability access and fire egress. Those are covered by building code but since this is a parable, it's worth noting that physical security has often caused tragic stampedes that have killed many.
You are right, it's much harder to compromise a system with the jira token, which is why it was the solution for the username/password stored as cookies. Plus the token was never exposed to the client.
Yes writing code is easier than ever, my problem is that understanding it still costs the same if not more [0]. I get that when people use agents, understanding code is not the concern because it's not exactly catering to people, it's for other agents. But when maintaining applications that have been running for years now, I still believe we need to fully understand code before we commit.
I was hoping he would provide some insight about why they avoid the sun. From observation, thiel looks like he is getting too much sun, or at least his skin has been reengineered like Alucard. While Johnson is just cake [0].
Side note: for once, I'm enjoying a heavily AI assisted article.
[0]: you'll have to find that reference on your own.
There is a selection of books that I have read a couple dozen times, then I got the audiobook versions. Some books make no sense until you reread them and finally notice the clues that were left behind on the very first pages.
It's like with any other medium, the first run through is for entertainment. For example I watched a veritasium video about quantum physics. Fascinating. But I couldn't explain anything because I didn't understand it. It takes several watch to actually understand the concepts.
After an acquisition, we are transitioning from google meet and slack, to Teams. I used to hate slack so much with their random features popping left and right and menus moving around. Oh I didn't know how good we had it.
Slack is a delight compared to Teams. And I'm not even alone in this, everyone is still using slack until it gets pried off our hands. So help me God anyone mentions Copilot one more time...
Due to the way Microsoft does sales to enterprises, there’s no incentive for its software to be any good or even compete directly with anyone else… as long as it ticks the right boxes, the people making purchasing decisions are fine with it (it’s bundled in with something critical like Excel anyway).
If the gov really took an expansive view of antitrust, it would break up software bundling and require ala carte pricing per app, defined as a single primary use case.
This will become all the more important as OpenAI/Anthropic start bundling all of their products together and putting existing SaaS out of business for no reason other than to get some crucial model or capability, companies have to buy the whole bundle.
Despite their confusion as to whether they want to really support their free and open source versions (without some absurd user count cliff), Mattermost (https://mattermost.com) is quite excellent and IMO is better than Slack. For example, editor leans towards native Markdown so things like syntax highlighting with backticks work as you expect.
Their recent update removed the paywall from SSO (and unfortunately the Gitlab SSO workaround) for social logins up to 100 seats, afterwards there's an absurd per seat cost similar to its non-open source brethren. One day if needed, I plan to drop-in an SSO middleman allowing anyone to leverage their own SSO layer (which will map to the login form with username/password) to avoid the SSO limits altogether. Though good enough for my needs, and likely yours too. Especially if you're open to paying for their seats.
Hi, thanks for your comments (it’s on the plan), since Mojo is early-stage software, there is still things that need to be integrated, however mojo is not a mass-crawler, (you have to specify directly what to crawl), so even if I add robots.txt (wich is in the plan) Evil users can still just bypass this (I expect mojo to be used by technical (non-evil) folks).
I must be using web browsers completely wrong. Like browsing a page isn't a problem for me. I can do it at the speed of my needs.
I'm having a hard time understanding why I will tell gemini to create an account on some website for me or send an email. Those are usually just a tab away. That's why I feel like I'm missing something here.
Basically none of their examples are just "browse a page"? They're multi-step tasks combining data from multiple pages.
Like the first example in the demo carousel (the Y2K party) starts from a photo and a prompt of roughly "buy the props needed for replicating this photo from Etsy". It first analyzes the image in the current tab, identifies a bunch of things to buy, searches for them on Etsy, customizes the orders, adds them to the shopping basket, and then asks for a confirmation to actually send an order.
The second one auto-fills a form with a couple of dozen fields from the data that's in a pdf in another tab. (And in the fiction of a demo, presumably a pdf that's you already had around, not one that you made just for the purposes of using it to auto-fill the form.)
I'm not the target market for this: automating a browser with my credentials is just too scary, but I can certainly see the utility. There's a huge amount of tasks taking a minute or two are not worth creating bespoke automation for but that are also pretty mechanical processes.
Maybe I’m a curmudgeon who can’t imagine throwing an elaborate Y2K party because all my friends were alive and threw parties at the real Y2K, but… these all feel extremely contrived.
It’s as if they used AI to generate use cases for their AI tool because they weren’t really sure what it’s for…
I feel that way about IDEs too, though. My text editor has snippets, my file manager shows me what files are where, and my terminal lets me run programs. Why it's important to people that these functions to be grafted into a single window escapes me.
Maybe you're only using well-designed sites? Try making a booking with a Chinese airline and you'll quickly wish for an assistant to delegate it all to.
funny you say that, I was literally just booking a flight with air china yesterday and the UX was 10x better than the average wizzair/ryanair experience - a clear, readable UI (with a great table comparison of prices +-3 days from the selected dates), no ads, no random services getting pushed in your face, no booking tabs automatically opening in the background
Huh. Last time I tried with them (about a year ago), and more recently trying with China Eastern, I couldn't even get it to show me a flight that I knew was flying on a given day (just at a slightly higher price than the one it would show me).
I wrote my story and titled it, "My experience at work with an automated HR system". I sent it to a few friends, only a couple of them read it.
A week later, I renamed it to "The Machine Fired Me". That seemed to capture it better. The goal wasn't to make it click bait, but it was to put the spoiler, and punch line right up front. It blew up!
I had just read Life of Pi, and one thing I like about that book is that you know the punch line before you even pick up a copy. A boy is stuck with a bengal tiger in a boat. Now that the punch line is out of the way, the story has time to unfold and be interesting in its own merit. That's what I was trying to recreate with my own story.
Reminds me of Veritasium's recent videos, really driving that initial hook and maintaining the viewer's attention. He had an explanation video about it which explained how people who would be interested in something like "the Lorenz equation" probably don't know what it's called, so it might be more accurate to phrase it in terms that someone would search for or initially peak their interest.
And I think it fits neatly with making people care first. I want to learn more about the machine that fired you, that's more the start of a narrative arc. It's almost like I have more trust that you will make it interesting, since you put a little more work up front.
> The goal wasn't to make it click bait, but it was to put the spoiler, and punch line right up front.
For those who are really adverse to that kind of thing and have trouble with thinking "but it is is just making it sound like clickbait" in the comparison above: You don't have to go as far with it either. Just inserting inserting that one detail without changing the style or shortening it makes the reader's mind go from "maybe some person complaining about automated form requirements in benefits sign up or some first week onboarding program or something" bore to "fired by an automated HR!?" interest.
Also I tend to do the "Don't recommend -> I don't like this video" for those that have the thumbnails with "that face" (you know, the YouTube Thumbnail Clickbait Face, I don't even know if there's an actual term for it).
When I actually enter a video, you have my attention by default and you'll get an instant dislike for:
- "Don't forget to like and subscribe."
- Showing those like and/or subscribe buttons on screen.
- If I get suspicious that you're padding video length, talking just for the sake of stalling.
>I had just read Life of Pi, and one thing I like about that book is that you know the punch line before you even pick up a copy. A boy is stuck with a bengal tiger in a boat. Now that the punch line is out of the way, the story has time to unfold and be interesting in its own merit. That's what I was trying to recreate with my own story.
For me this is a perfect example of what I hate about clickbait.
A boy trapped in a boat with a tiger is interesting. But the rest of the story really wasn't worth the read.
Based on the comments I see here, I think the focus is going on the turnstiles just as it did when I worked there. While the cookie credentials are pushed aside. I think that's the security theater. We are worried about supposed active shooters, different physical threats while a backdoor to the company is left wide open. The turnstiles are not useless, they give an active record of who is in the building, and stop unauthorized people. But they also give so much comfort that we neglect the other types of threats.
reply