Serious Techy Business Thread

What did they ever do to you?

Yeah dribbble design circlejerk is a problem. I don't consider research as optional, but I don't get any budget or time for it, and if I had the time our clients wouldn't let us near users and either tell me they would tell me what to do or if something was wrong, and/or insist I just ask them (AKA the people from the client's IT department that don't use our software and have a different profession and have not even heard of things like contextual inquiry, personas or usability walkthroughs and don't care about their users) and even if I had access and would be able to identify issues I don't get any budget or manpower to fix those.

Whoops:

www.theregister.com/2023/04/06/acro_security_incident/

This is always the answer to the 'if youve got nothing to hide, youve got nothing to fear' lot. I dont want idiots to have information that could be used to bring my life down.

It was a tune Labour also used to play when they went full bore surveillance state, to be fair. They were actually even worse than the tories on that front.

We do ransomware readiness exercises quite regularly. Scenarios, drills and table tops and all that.

We had a guest speaker from a fairly big firm that was hit and his advice was ‘just pay it’. They wanted 1.5m which they refused to pay only for the final cost for return to service, after six months of absolute hell, to be nearly seven million.

The point he was making, really, is that the ransom should costed into the overall recovery. If they dont decrypt youre, in this instance, down 8 rather than 7 million but if they do decrypt thats a whole fuck load of time and money better spent on making sure it doesnt happen again.

It is against guidance and against everyones first instinct but, yeah, he made a lot of good points in terms of risk/reward. A chance you get back on your feet quickly Vs 'This is definitely going to take months'.

Don't get me wrong, I'm not saying he's wrong (I wasn't there either for his talk or his business' issue, for a start!), but more that I suppose that's a decision everyone has to make individually. I'd be interested to know what their preparedness status was. Did they have mitigations in place and a BCP, for example. It's not (paying) considered a mitigation to having to announce data loss by the ICO, so it won't protect you from any potential reputational damage either.

Not being properly prepared is a shitshow, eh?

Another interesting thing which has me learning new stuff is that a lot of our product devs are moving away from the more traditional types of architecture and into things like serverless (CaaS/FaaS/Lambda etc) for ephemeral applications which if it's done properly looks like your more traditional "give me BTC!" ransomware might have issues with. Obviously, it's not immune to vulnerabilities (poor segregation, stolen credential issues etc) but it's not as likely to be encrypted by malicious actors because you can just turn it off and spin up another instance from your templates which are elsewhere.

Presumably, they'll catch up to that sooner or later.

If you dont pay, there is 100% chance you dont get your files unlocked. Im not saying 'always do it' but to rule it out completely is pretty dumb in certain situations.

Has anybody had the 'pleasure' of creating a WordPress theme using 'Blocks'?

But it's a "case study in how to handle Cyber incidents"!