I like to joke, and it's only partially a joke, that there are two kinds of computer systems. Serious ones and toys.
If it's a toy system then you can upgrade to the latest version, do whatever changes you want etc and if it breaks, well that's OK because it's just a toy.
If it's a serious system then you can upgrade to the latest version, do whatever changes you want etc and if it breaks, then that's also OK because you have a well funded, well designed, fully scrutinised and tested recovery policy and already tested all your changes in a properly representative system. Right. Right?
CNI would count as Serious++.

Of course I love it when people tell me that "No, no, no, this is critical but we have no funding and it's running on some old servers we found in a skip"
At that point I note that delegation can work upwards as well as down, especially when it comes to responsibility and accountability.

Then we have Safelinks in Outlook which totally obfuscates the original link and so completely negates the "hover over the link to check that it's genuine" advice.
I suppose _technically_ the IT dept are taking responsibility at that point if I do click but I know it won't actually help me to claim that.

I got into a spat with IT once about the phishing training emails where they told us _NOT_ to tell our colleagues about these emails. I got them to the point where they told me that if I wasn't certain that it was a training phish that I could tell people. So I just decided to pretend not to be 100% certain any more and coined the term 'security through agnosticism'.

Plus there's the other advice telling you to unplug your network and disable wifi if you think you clicked on something malicious. But then the advice is to follow these online instructions including calling a number which a) I can't remember and b) could only call via Teams at best because they took away my phone. Oh and I work for a telco. I've suggested they drop a word doc onto everyone's desktop via group policy (and keep it updated) containing all the information you might need if you ever have to deal with a situation like that and are offline. Guess how far that got.

I've seen exactly this from supposedly respectable pen-test teams. Their recommendation was not to "yum update httpd" but just to go to apache.org. As if visiting the website was all the instructions they would ever need to provide. I was f**king livid. It got worse when I found they had left "bitcoin ransomware files" on the server. Yes the pen test team had credentials (some tests were 'white box' style ) so them gaining access wasn't a problem, and I'm OK with them being a bit irreverent but to not even put their name and email in the note was completely unprofessional. We nearly wiped the entire platform thinking we'd been hacked for real during the pen test. The guy responsible _and_ his manager got a severe bollocking when the truth got out.
Oh and they left a process running on one of the physical xeons listening on a certain port and running whatever you sent there as root. There were so many cores you couldn't see that one was pegged at 100% without looking carefully. I only spotted it from the command history which shows they don't clean up after themselves there either.
All future pen test discussions began with "so tell me what I'm going to see in my logs and how you're going to clean up after yourselves".

They have a "3 Together 2 Wherever" rule which is 'advice' right now but becomes 'policy' in the new year. The biggest push-back isn't from people who want to continue to work from home, most of us _did_ work in the office in the before-times after all. No, the biggest push-back is from people who are OK with the 3 days a week but want to know about corner cases:
What if I have a bad cold and could work from home but don't want to infect my colleagues?
What if there is literally nobody in my team in the same office so I'm still putting a headset on to talk to someone far away?
What if I need to use a non-corporate laptop (a "dev laptop") to do actual proper technical work and find that I'm outright forbidden from using the office wired lan and the small print of the wifi forbids me using that as well - so do I just down tools on those 3 days in the office?

Of course, HR are as useless as a chocolate teapot over this, their responses (when we get them) are scattered around various FAQs (falsely anticipated questions) and emails and often don't answer the actual question and continue to talk about 'opportunities for collaboration'. In one case the response was an email containing a screenshot of text which is not searchable and probably in breach of accessibility laws.

If I have bought every previous album from a band though Amazon then one of the very few times I actually want targeted advertising is for when the band in question puts out a new album.
Yet there are numerous examples where I've only found out several months or a year later.
If they can't get this seemingly obvious thing right then there's no hope that any of these agents will be in any way useful.

Instead of "lessons learned", I've been calling it "instructions ignored" for years now.

When you are 'forced' by manglement to cut corners for cost or time reasons etc despite saying to them this is a risk then it really [*****] me off when there's a post project lessons learned session and all the same things come out.

From over 100 years ago.
https://en.wikipedia.org/wiki/...

I know, right.

If earth venues can't install a femotcell in their deadspots so the frickin ticketshafter app can get a signal to show the barcode (all for my convenience, remember) then sure, you can hold a concert in orbit, but nobody can get in.

But more seriously, there are far better payloads to put into space and far better ways to support live music of all kinds.

Came here to say the same thing. But then I realised it is 10 orders of magnitude if you round the value to the nearest order of magnitude. Lolz.

well, for me at least, is when I've bought 5 previous albums from a certain band through Amazon and there is a new one out soon. Amazon has all the data and all the incentive to say "Hey, new album coming soon, do you want to pre-order"?
But no, they can't even get that part right.

So I can understand that this might not be legal no matter how safely someone builds this (maybe? this is electrical stuff so I've no idea what the exact laws are), and I can understand that power socket accessibility might be hard once the appliance is in place due to the layout of your room. But having a gizmo that you put in the dryer that talks to a smart socket inline adaptor (a bit like a timer socket) to kill the power to the dryer once the clothes are dry would be an 'upgrade' that might have merit for some people.
No, it wouldn't alert you when it's done but it would stop you over-drying your clothes and you'd need to manually flip the switch to re-enable the socket when you next loaded the dryer of course. It would be 100% compatible with all makes and models and no need to access any interwebs.
Additionally there's probably a denial of drying attack if the comms aren't suitably encrypted so at least we'd get an amusing Black Hat talk out of it.

I think that is what is leaking from my turboencabulator.

At a previous employer using a laptop keyboard was explicitly banned if you were at a desk. You _had_ to use a proper external keyboard. They would just about allow you to walk up to a laptop in a lab environment and type a few commands directly and walk away, but any 'prolonged' stay needed a separate keyboard.
This worked both ways of course. You could always expect to be able to get a new keyboard, mouse, wrist-rest, foot-rest etc at short notice if you needed one.

My first thought on reading this story was about where to keep my keyboard/mouse etc. I'm no neat-freak but for a long time I have said that DSE [1] needs a hygiene section because of how gross keyboards can get. I would have thought that a post-covid world would heavily discourage and possibly outright ban shared keyboards - which means everyone needs a suitable locker for their kit.

[1] If the acronym doesn't translate. Display Screen Equipment. All about monitor and keyboard placement and good posture in your seating position.