Stack Exchange is no longer available from my workplace due to this change. We have a strict no-posting-code-fragments policy, and SE was viewed as too risky to allow without some restriction in place to make it read only. Before HTTPS, the IT department had worked out such a read-only restriction by blocking the SE login with firewall rules. But with HTTPS that kludge is no longer possible, so the site is blocked.
Many banks have very strict IT policies on posting things on internet, and they have valid business reasons for that. Not saying you meant that, but it's not like they're some dark, silly workplaces that people should get away from asap.
The enforcement is stupid (both the previous hack and now the block). For me this actually would be a sign that the workplace isn't quite the right fit for me, if the basic assumption is that I ignore the policies anyway - because that's what this seems to indicate?
> The enforcement is stupid (both the previous hack and now the block)
Hack indeed. Seems like blocking POST would block posting stuff while blocking to log in allows you to just copy your cookie, and doesn't allow you to view your notifications.
> Many banks have very strict IT policies on posting things on internet
Yes, they do. And I really love it. Because it means that MY bank eats their lunch, because the bank I work for actually UNDERSTANDS how to use technology, while still keeping (very!) strict controls.
Would be curious which bank you work for. Most do not seem to value technology--which is odd, since most "cash" only exists as data in a computer somewhere. I'd much prefer to patronize a bank that understands and takes seriously their tech.
I work at Capital One. We have been a bank (and are regulated as one), but are trying hard to become a technology company that is specifically focused on banking.
And I'm probably biased, but I think we have some pretty great products also (checking accounts with no fees that pays some interest, savings accounts with very good rates, and so forth), so maybe you'll get a good deal as well as a technical focus.
I don't know how you'd get anything done since there are answers on Stack Overflow that solve problems that otherwise would involve hours to days of fussing to come up with the same non-intuitive solution.
All roads lead to Stack Overflow these days for progrmaming problems.
Just out of curiosity, do those 7.5+ million accepted answers include those closed as duplicates? Because by far my biggest complaint is finding the exact question I have was closed as a duplicate and links to a question that is useless at answering my question.
In that case you can vote to re-open and perhaps even post a bounty. Although bounties tend to invite lots of low-quality, low-effort answers just on the off chance that they might be the top-voted one once the bounty runs out.
I feel you. I've taught myself programming between 13 and, well, I'm now 23; so by the time stackoverflow came around I had figured out how to solve things myself. When I have a question, it's usually either opinion-based (bad fit for SO) or not a common question.
I'd say 1:20 is a good estimate if I ignore answers that didn't read my question (which is most of them), but indeed the facts disagree.
Back then I didn't speak proper English, and how many questions were actually covered on SO in the beginning? It took some years to get to where we are, both for SO and for my English ;)
I have had the same experience with embedded programming questions. I suppose they depend too much on the hardware. I do quite a bit of programming with the beaglebone blacks (or at least the same processor). And it seems the best resource is the mailing list.
This sounds beyond absurd to me.
Do they also block usb ports to prevent you from copying everything on a usb drive or external harddrive, or phone?
Do they lock/solder you machines shut to prevent you from taking out a hard drive / plugging in a new one and then taking it out?
Do they prevent you from .. printing the code? In what parallel world do they exist that they think this would make a difference
As someone who works at a finance related company: yes. No USB storage is allowed, all cloud hosting sites are blocked (not SO, thankfully, they're more worried about us stealing SSNs and other PII than code), and all printers are logged and have drivers that detect if you're printing PII and censor it by default (or so I've been told, I don't really feel the need to test that).
A friend works at an investment firm, and has similar restrictions as the above commenter mentioned (no SO, no USB, no printing, etc), as well as pulling his phone out while at his desk or around any other computer being an immediate fireable offense.
A few years ago, I interviewed at a company called 'G Research' and the security procedures I noticed included:
* A 'secure zone' where work took place.
* All desktops virtualised, using thin clients.
* All Windows, no admin access.
* Screens, filesystem snapshots, and web access recorded, all the time.
* All software installation subject to approval (e.g. Firefox not permitted, only Chrome).
* Desks fixed in place, all cables in locked cable trays.
* Separate internal-only e-mail system.
* No printers.
* Specially printed notepads & other stationary in the 'secure zone', no secure zone stationary to leave or non-secure-zone stationary to enter.
* No cell phones, cameras or laptops permitted (lockers were provided).
* Entry points with human guards and metal detectors.
* No late working outside guards' hours.
While it would have been possible to get around the security if you were inventive enough (e.g. camera with no metal parts) it would be difficult to do so then believably claim it was an accident.
I didn't take the job, because I didn't feel I could be productive with so much bureaucracy.
I've worked in financial software and they do block USB ports for any storage device. They block SD card slots too. All work was done on a VM that could only be accessed from the company network and was remotely hosted.
Leaving aside all the reasons why this policy is super dumb (which I'm sure others will cover quite adequately), I guess your IT department can't figure out how to create their own CA certificate and do SSL interception?
Yeah, I'm amazed and concerned that you have a security team so paranoid that they would make SuperUser read-only but apparently lack the ability to perform SSL interception. Considering the huge value the latter has in any kind of post-compromise scenario and, increasingly, to prevent compromise in the first place... there needs to be a real discussion about getting priorities in order.
There are many enterprise "solutions" that basically do this "out of the box". Yeah it shouldn't be done and a lot of employees are likely unaware that IT can see all of their SSL traffic but it's a big business.
This is nothing that can't be addressed through training. Questions on Stack Overflow with generic code actually get better responses than those bogged down with irrelevant details. You should strip out all labels, namess, even extraneous fields that don't matter. It makes for a more generic problem and solution pair that can help others as well, and eliminates the problem of leaking proprietary information.
Maybe about half the time I end up answering my own question during this step. The act of genericizing the question ends up giving me some new approach, which either works, or leads me to new existing questions-and-answers.
IP protection. In a prior life I saw someone fired for mailing a model to a home account. Pasting code to a public website would violate similar protocols.
A company that trust their employees.
There are so many ways to get around this anyway so it doesn't make sense to try to enforce it in the first place (considering the issues that follows).
Seems obvious that someone high up on the corporate ladder, with no practical knowledge in how the nitty-gritty work gets done, made the decision. Probably to "minimize IP theft".
Why don't they just recompile chromium without support for the textarea element, make that the only officially permitted browser, and call it a day? :-)
Sorry, but such policy is just stupid. There are many, many ways one could get a snapshot of code without posting it online. I respect SE for their decision to make things right, not kneel down against costumers and their faulty "security" practices which can be often seen.
I honestly wonder how exactly places like this want to enforce policies like this. Do they allow you to take a phone into your workplace? Aren't they scared you will take a photo and upload the code fragment?
Well sites doing TS work you can sort of understand that
I knew someone who worked for the scientific civil eservice and they where not allowed to have a phone with a camera.
I have also been for an interview at a site (HMGC) where you have to hand in all electronics at reception - this was an avowed role btw so I am not breaking any laws the organisation even has job adverts on the local buses
