Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
latexr 7 hours ago

> Based on the comments I see here, I think the focus is going on the turnstiles just as it did when I worked there.

You titled the piece after the turnstiles and spent the overwhelming majority of the post talking about them (and surrounding physical features). The Jira ticket felt secondary, and when it was introduced in the middle of the post I was genuinely confused, thinking why the heck the card system was contacting Jira.

People reading your writing are going to focus on whatever you did when you wrote it. The turnstiles read like the important part.

margalabargala 6 hours ago | parent [-]

The part about Jira is important because it highlights that while the company claims to take security seriously, they in fact do not take it seriously.

The incompetence of the turnstiles makes it a good focus for the story while the juxtaposition of the turnstiles with Jira exposes the company's hypocrisy.

Dylan16807 3 hours ago | parent | next [-]

What's the threat model for cookie theft? That if someone gets access to your company hard drive, but not enough access to install a keylogger, then instead of invalidating a session you also have to invalidate the password too?

It's an issue but I wouldn't call it a particularly big issue. I don't think it's very damning for how much the company cares about security.

And it sounds like the turnstiles did work for actual security? Sure, they gave up on per-floor security, but that's a lot less important.

Edit: And if employees are reusing passwords then we should be getting them password managers (or SSO) as the top priority, much more than we worry about logins in cookies inside the building. I mean, there's a point where a single purpose password and a login token become the same thing.

firefoxd 13 minutes ago | parent [-]

A threat model is you can steal the creds of any high clearance officer in the organization. If they reuse the password on the network, you now have unfettered access.

SSO is much more common these days, but that it wasn't the case back then.

glitchcrab 5 hours ago | parent | prev [-]

I believe like that was the intent, but the (very few) mentions of Jira feel like a bit of a non sequitur; they don't belong.