- $NEW_JOB Security Guy: We harden all our systems before client delivery!

- Me: Cool! But what happens if you need to apply an update that is tripped by the hardening?

- Security Guy: We don't update our hardened systems! That's why our systems are hardened.

- Me: You... don't update... your systems?

- Security Guy: Nope!

- Me: Ever?

- Security Guy: Ever. They stay that way for the duration of the project.

- Me: Which is...?

- Security Guy: Usually 10 years. 🤦‍♂️

· · Web · 4 · 3 · 8
@ParadeGrotesque I had to read that is he a security guy if he's ok with not updating a system for 10 years...even I know that's a VERY bad idea...


I know. I am going to have a little chat with the security guy and his boss soon. I'll let you know how it goes.

(Narrator: "It did not go well")

@mgrondin @ParadeGrotesque that sounds like the usual conflict between security and safety.

One wants a well known state of the system that is tested inside out to guarantee it's behavior.

The other wants to easily upgrade to fix bugs and vulnerabilities.


The two are not exclusive of each other. It is quite common, even in high-security systems, to temporarily "degrade" or "deactivate" security measures to allow updates to proceed.

Once updated, the original security configuration of the system is re-applied and the system is locked down again.

See securelevel(7) for instance:


Sign in to participate in the conversation
Mastodon @ SDF

"I appreciate SDF but it's a general-purpose server and the name doesn't make it obvious that it's about art." - Eugen Rochko