Comment by monero-xmr 12 hours ago
Security products and practitioners are the classic snake oil salesmen. They are actually sales and marketing roles for help closing deals by emphasizing some security aspect. True security comes from general IT practices followed by engineers themselves.
I would be wary of making categorical claims like this, but it's unfortunately true that "security" field hasn't been doing well in a long, long time now.
Half the field is B2B "magic bullet" solutions like CrowdStrike and all the associated sales tactics - with pitches that boil down to "you give us money, we make your security issues go away". Half of what remains is mandatory certifications and other flavors of checklist-obsessed cargo cultists - often CYA-driven, often demanding the adoption of the fancy acronym of the day, regardless of the real threat profiles. Then you get the "security snake oil" - "magic bullet" systems that don't work, never did and never will, but are supported by the right influence groups and get the right pockets lined, and so are used anyway. DRM systems like WideVine and PlayReady being the prime examples. Then there are the corporate "security of our business model" shills - who pay lip service to "security", but have the true aims of "prevent anyone we don't like from doing anything that can harm our revenue streams" - with Apple being a common example.
And about a fifth of the field is people who do actual security work, and keep the sky from falling.
I agree with you totally, although I'd venture to guess 20% is way too high. I'd say you have about 10% people doing security work, 15% doing compliance, and the rest are consuming oxygen.
It's a growth field, so you have lots of idiots getting certifications and stupid jobs. Reminds me of the 90s when I started, and companies were paying MCSE's (ie read a book, hit next-next-finish in Windows NT) more than software engineers in some markets.
> True security comes from general IT practices followed by engineers themselves
Sounds exactly like something the average security practitioner would say...
`not_sure_if.jpg`
> True security comes from general IT practices followed by engineers themselves.
I have yet to meet an org whose engineers care about security, or who would not compromise security if secure practices got in the way of shipping a product or feature.
I'm a bit amazed you consistently get downvoted while you seem to speak the truth. So much gray in your comments.
I consistently see this commenter making a single comment, of questionable relevance, expressing a strong opinion which isn't particularly thoughtful or interesting or true. Then they ignore the pushback and move on to the next thread, where they post another tangential hot take. I'm not at all surprised at the result. Those comments attract a lot of downvote because they aren't very good.
This thread is a microcosm of that. They went on a tangent from a tangent to express how little they think of their colleagues working in security. It wasn't out of curiosity, it didn't raise interesting questions or provoke interesting debate. They didn't defend or substantiate their opinion so that they and we could learn something from it. It was just a drive-by flamebait to stir the pot and express derision. It should be downvoted; it's a bad comment.
Perhaps that pattern is difficult to see when their hot takes align with your own takes.
I don't understand what "you seem to speak the truth" means if it isn't an endorsement?
I post my view that is against the HN hive mind and don't always feel like rebutting the same hive mind talking points again and again. I like to post to prove there is an alternative view out there
I'm also guilty of what they accuse you of. Sometimes my internet comments are not made for the purpose of sparking discussion, but more of a "vent" where I know my take is not popular but I feel the need to throw it out there anyway. The comment is more for "me" than anyone else. And, yeah.. that makes it a bad comment lol.
I also just love playing devil's advocate, and I'm adverse to hivemindy-feeling opinions (even when I share them). Maybe this all describes you, too.
I don't have a problem with people doing that as long as they don't pretend that every other commenter holds the same contrary opinion and that the downvotes indicate they're too sensitive to discuss such things, or other similar rationalizations. If you want to leave some drive-by snark without rationalizing it as being about other people, it's not my favorite kind of comment but I'm not going to object to it either.
I don't know your motivations but I know the "HN hive mind" isn't the problem. When you do engage with people who disagree with you, it usually becomes evident to me that there isn't much substance behind your views and that you struggle to disagree amicably. I also see lots of people on HN with a similar perspective to yours who don't have the same problems or engage in the same patterns of behavior.
The facts are that HN has a diverse set of perspectives with many conservative/libertarian commenters who would align with you, but that your comments are frequently shallow flamebait. Though I have seen a couple good points you've made, as well. Do with that information what you will.
> True security comes from general IT practices followed by engineers themselves.
Thank goodness engineers pop up out of the ground fully trained on good general IT practices....