Anon witnesses excellent security

Had that discussion before. Was attacked because I use a f&os lib from GitHub instead of a paid and licensed one, the latter somehow meaning it's error free. Spoiler alert: it wasn't. Or at least their usage wasn't.

My org told me “you can’t install open source software”

Everyone uses Firefox

I just want OpenShell

this is supposed to be more secure because it costs money

It makes blaming someone really easy though and that's all that matters in a corporate world.

This is legitimately it. The same reason corporations often pay for Linux (e.g. RHEL)—the people in charge want to be able to pick up a phone and harass someone until they fix their problem. They simply can't fathom any alternative approach to managing dependencies.
- Not just pick up the phone and harass someone but to also have someone to press a lawsuit against if things go really wrong. With free software the liability typically ends at the user which means all they can do is fire the employee and eat the loss. Suppose now corporate paid for it, well now there is a contract and a party that can be sued.
So corporations are just The Gang in It's Always Sunny In Philadelphia?
Would be really funny if they still get fucked over because of some fine print in the disclaimer
- Or maybe the vendor goes with "take the money and run".

Every day I wake up I thank God I'm not an MBA 🙏

Sometimes I wish I was a piece of shit so I didn't need to worry about money.
"This fucking paycheck! What am I going to do with all this money?"

Honestly, a policy of "no free-of-charge software installed on workstations except FOSS" might improve security a bit and probably without doing all that much damage to the day-to-day workings of the company.

For that matter, if my employer instituted a policy of "no software except FOSS", my own particular job probably would be a surprisingly small adjustment. As long as they were willing to do the work to set up infrastructure and/or let us switch to FOSS alternatives that require third-party server providers as necessary. About all I can think of that's installed on my work machine that's proprietary is:

Zoom
A paid corporate VPN client
A random program that I use to authenticate to Kubernetes clusters in use where I work (so I can use Kubectl)
Chrome
The Client Management software my company uses (the software they use to remotely administrate the company-provided machines -- force install shit without telling you, spy on you, nag people who have computers that aren't actually used to return them, wipe your computer if you report it stolen, etc)
And, of course, bios, proprietary firmware blobs, etc

Beyond that, I honestly can't think specifically of anything else proprietary installed on my work machine. My personal computers have far less proprietary software installed than the above list.

Not related, but did you ever use k9s? Quite nifty CLI tool to control Kube, albeit not on a very advanced level, it helped me a lot to not get drowned in Kube commands.

It's "more secure" because there's a specific company to blame when it goes wrong.

Security through liability
- The bigger you get the more this is a thing actually.
That would make some sense if the company was purchasing a solution, not a tool. Or a contract/SaaS model or something. Instead, it's like banning known screwdriver brands and expecting people to still have no problem loosening and tightening screws...
Yeah, i worked briefly at multinational japanese motor company and this was their logic. I was hired as a software developer contractor and HQ had rules stating, no open source software, no free software and the one that puzzled me the most no in house executables (WHY THE FUCK DID THEY HIRE ME?)
- How were you supposed to test your software if you weren't allowed to create an executable?
Sure but what if they have "we can at best refund you, no more liability from us" in the EULA?
Like, when the $10 "Yeblie PDF Censorship Tool" turns out to just have drawn a black rectangle and kept the CEO's SSN underneath copiable, what's stopping Yeblie from just forking over the $10 (and perhaps rebranding to Gtriik for good measure)?

Everyday my misnathropy is justified

I majored in Anthropology in college. I should have done Misanthropology.
- You did; just need to apply it.

It's not more secure, it's so they can offload blame and have people to sue if/when something ugly happens. Liability control, essentially.

We had to pay for fucking Docker container licenses at my last job because we needed an escalation to the vendor in case our SMEs couldnt handle things (they could), and so we had a vendor to blame if something out of our control happened. And that happened: we sued Mirantis when shit broke.

Hey PS: search engines do return a result for a suit against that company so potential self-doxxing territory (but maybe you’re open in your comment history IDK)
(Don’t have a PACER login so couldn’t tell what was up with the suit that came back when I checked this morn, also could’ve been an unrelated suit)
Ever hear how the suit turned out, generally?

There is an entire sub-industry and probably thousands of jobs being propped up by this stupid way of thinking about software. I can't be mad at it because it pays the bills for a few of my friends...

I could really see companies just fork open source and give it a tweak like UI or new switches...
Terrible.
- At one point my company made us buy Eclipse from a vendor because free software was not allowed. It had no tweaks or support, just out of date Eclipse that I had to wait for purchasing to get
- I could really see companies just fork open source and give it a tweak like UI or new switches…
  They should not be able to do that if it comes under non commercial licence

Worked for a company that had a similar policy against free software, but simultaneously encouraged employees to use open-source software to save money. I don't think upper management was talking to the IT department.

My previous employer was bought by a huge company. I liked it in the small company, because I had freedom to do what was needed without much questions, and I was trusted to make the relevant decisions and purchases. Kind of a "Costs be damned, get it done in a reasonable amount of time" kind of arrangement.

When we came under the big corpo, we got an email instructing us to list all the software we used/needed, so that it could be added to the whitelist that big corpo worked with. Anything not in the whitelist simply couldn't run.

I gave them the list, but spoke to my on-shore It guy that out in the field we often needed to install something that we didn't need before on short notice, and waiting for a ticket to be resolved for an administrative matter had the potential to stop production.

They found it easier just to make an exception for my work PC. I just had to promise not to VPN in to the office while running "weird" stuff, otherwise the higher ups would get upset.

That's fine. I had my own VPN for only the stuff I needed anyway. I VPNed into offshore production systems on a daily basis. I needed to VPN I to the office once or twice. Plus in my book, the "main" VPN client is what I consider weird software. My shit was basically a wrapper around openvpn.

EDIT: To be fair, the huge corpo employer wasn't unreasonable. It was just so large with so many employees that strct security implementations were needed for IT to have some sort of control. I was technically also IT, but I only dealt with field equipment, so that IT could focus on "normal" stuff. They trusted me to handle my end, they handled theirs, and we usually cooperated fairly well when our systems "met".

"we need this NOW"
Package I install is immediately black listed by IT, I submit a high priority ticket and I don't hear from them for days, maybe weeks
Like what the fuck can I do
- "Yes, but does one of the existing whitelisted executables fulfill the same function?"

Anon works for my company? Because they did exactly this with the same excuse.

Yeesh. I would find a new job immediately. Absolutely unhinged behavior.
- Yup, my boss would get my 2-weeks notice immediately. Like same day. I'm not putting up with that BS.
how thoroughly was it followed through? how was ensured that no free beer software was used?
- I've had some workplaces where they instituted overly heavy-handed crackdowns through IT Policy then rolled them back after a couple of weeks because someone in upper-manglement needed to see the impacts in the real world that they already were already warned of before they could be convinced that their genius new policy wasn't such a good idea
- That's a great question. In my experience (15 years at MSPs and several years as a freelance consultant where I'm mostly in house one place but take side jobs) I've been the one who had to make this change.
  Some companies are very serious about it. Laptops end up on some device management solution that can tell every program you've got installed and flag anything not pre-approved. Then take away everyone's ability to install outside of device management.
  Some companies want to scare the users into compliance but want IT to be able to do their own thing. So they'll install some easily bypassed thing or enroll everyone but not keep an eye on their network to find rogue devices.
  Some companies threaten it, pay money for a consultant to put together a plan, don't like the price, threaten to go elsewhere, and the exec who championed it finds a new job while nothing of note was done, but they're sitting on a handful of licenses for software no one is using.
  I used to carry a toolkit of free software in portable format on a thumb drive and another thumb drive with a full Linux environment in case I had to do something at the first kind of company.

“If you’re not paying for the product, then you are the product.”

The phrase has its uses, but shit like this is what happens when it's taken to the extreme.

Often times when you pay for the product, you are still the product.
- I'm the product in the sense that poo is the product of the intestines.
- That is just a fact at this point
The simple exception is free software (free as in freedom). It's really not that complicated.
Digital security education in schools actually give people brain tumour ffs

I am becoming increasingly more appreciative of the fact that I have root access to "my" company provided work device.

My boss went so far as to buy Macs because we have "special needs" (we don't) because otherwise we'd be forced to use the corporate locked down crap. I'm not a big fan of macos (prefer Linux), but root access sure is nice.
- I had to move to a Mac because of iOS development. Now I'm stuck with a Mac because the fucking thing refuses to break.
- Wait till they learn about Jamf Pro and Mosyle 😜 (Well… granted they also have to deploy it correctly after..)

Vim? Oh wow. I'd be looking into a USB Keyboard that types the entire source code of vim into the machine, assuming there isn't an easier option.

Nice. My response is my 2-week's notice.

This pisses me off

Oh my god. My colleagues were making fun of postgres users. They didn't bother doing a Google search.