22

Hello guys and girls!

My company tasked me to do something insane.
Little background info: I'm a trainee, in my first year (of three, even though I will shorten my apprenticeship to two years). I told my trainer that I like encryption in a somewhat private talk.

Now to the insane part. I got tasked to develop a whole security concept ~2 weeks ago to protect our products against industrial espionage. I feel in no way competent enough to achieve this especially because my concepts so far have been dismissed with a 'naaaah. Can't we just do X for now and add the other stuff later?' or 'we can't do that.'
I seriously don't want my name under a concept we would use world wide on our customers pcs which I know has serious flaws.
What should I do? What would you do?

Comments
  • 10
    I see it as a great learning experience for you are your boss.
  • 6
    Deep diving!
    In general it's probably ok, but deep diving in security, your boss is a dick head!

    Yes you can show him this.

    Don't take this as an attack at you're lack of experience, it will be an awesome project for you to climb into and deep dive with, but if they were serious about protecting their devices, they wouldn't ask a junior to do it.
  • 6
    @C0D4
    Thank you.
    I'm pretty sure they are serious about this because they do pretty much everything half-assed/as cheap as possible. Our current "concept of security" is equivalent to the caesar cipher.

    I feel kinda overwhelmed by the sheer amount of information on this topic. Do you have any suggestions that might be a good start to dive deeper?
  • 12
    Back in the dawn of time, when I was junior, a project I was on ended up losing all the seniors, leads, etc one after the other. I ended up being tasked with running everything.

    8 months later, they had forgotten I was junior and some shit hit the fan. After a conversation as to why, I reminded them calmly that I was still junior, and working for junior wages. If they wanted to solve the problem with a high degree of certainty, they needed to acquire someone to replace the people we'd lost.

    The manager had no real way to wiggle out of that, so he admitted defeat and slunk back to his cave.

    Not really a win, just a refusal to accept blame for something beyond my depth, qualification or compensation.
  • 3
    @KittyMeowstika If half-assed line of work begins with a boss, then I have bad news for you... It will be the same down the road, because security concept might seem like a toy on this background. Actually, one fact that boss throws this task on the worker with supposedly lesser circle of responsibility makes the slogan of firm: "We expect a lot of our employees, they should feel grateful for such learning opportunity."
    I think there must be heavy assistance for security in your place, otherwise you are going to do the job of others and take a position of chief security assistant for a brief moment, receiving same low salary. Hey, maybe it's not a bad thing, but considering deadline you'd better come with something you are able to analyse right off the bat and *convince* them that it's a working scheme.
    If you notice that firm is going down, then it's probably not worth it.
  • 5
    On the non-technical side: make sure you leave a paper trail of your concerns. Mail them to your boss and your boss' boss. Ideally, also print the mails on paper.

    When the shit hits the fan for real, you'll need evidence to put the blame on the people who had actual responsibility.

    Also, don't sign off any tech document where you are not sure that it's good. You can prepare them and still refuse to sign. Your manager can do that.

    In general, this will raise the stake for your boss once he realises that you're taking the future blame game into account, and that he won't get away with blame shifting. Putting his ass instead of yours on the line may even prevent some of his stupid decisions.
  • 2
    As long as there are no misunderstandings about your background - and there shouldn't be if you're a trainee, you dive in and figure it out. You will bump your head and it's fine.

    After a couple of months you will be their expert on it.
  • 2
    Thank you all. I voiced my concerns to my boss again using email this time. Let's see what will happen.

    Sadly it's not the first time trainees were considered 'cheap workforce' rather than someone who needs proper education by him and his boss. It's just sad.
  • 3
    @KittyMeowstika Maybe you could also take the initiative and email your boss a kind request for formal security training. Either your boss agrees, which would be great now and for your CV, or at the very least, you have another piece of evidence.

    If you don't get any answer, repeat the request in 2-4 weeks and ask for a decision.
  • 3
    @Fast-Nop I included a request for formal training in my mail^^
  • 2
    @KittyMeowstika In the meantime, here's a book that I can recommend although it's from 2014, Engineering Security by Peter Gutmann:

    http://cs.auckland.ac.nz/~pgut001/...
  • 1
    @KittyMeowstika my opinion:
    Do it! Do it to your best knowledge, and don't sign off on anything anyone else did if it's not good.
    Yes you might not be qualified for this, BUT you're probably better than the other people, because you care. Even if shit does hit the fan, no (good) future employer would hold this against you as you are/were a junior. On the contrary, you can actually gain experience and reputation without taking a risk as high as if you were in a senior position. Obviously you must not compromise, and really give your best. But according to what you said you'll do that anyways.

    Just an opinion though;)
  • 1
    From a recruitment perspective, that's a nice project, I'd gladly hear about it in an interview.

    Review your contract and make sure you're not accountable for it though, maybe ask to add an addendum explicitly stating you're not accountable then enjoy the interesting work.

    The task doesn't feel suited to a junior nor a one-man team though...
  • 1
    @Fast-Nop thanks I'll give that a read^^
  • 1
    @WeAreMany changing my contract might be difficult as it's a standard IHK (German apprenticeship overseer organisation) contract. I don't know if you're allowed to change them. I'll keep it in mind though. Thank you
  • 1
    Security is an area that adding more layers can help, there is nothing 100% secure, adding workflows, procedures and systems to prevent Intelectual Property leave the company is a start, but also is not your company, you just work there so don’t stress so much.

    https://en.m.wikipedia.org/wiki/...

    https://en.m.wikipedia.org/wiki/...

    https://owasp.org/www-project-top-t...
  • 3
    @KittyMeowstika Under German law, you're not accountable even as full-time employee unless you grossly violate well-known practices or even laws. That goes even more so for apprentices who aren't expected to be in the know, that's why they are learning.

    And if shit blows up, make sure it does so on the right day of week, and then: "Ein Glück, morgen is Berufsschule"(tm Werner).
  • 2
    @KittyMeowstika given that they seem to have no sec infrastructure and just want you to bolt something on. try to lookup language-specific best practices. for instance with node, there are numerous bcyrpt tutorials, that can help you implement a basically correct salted db etc.

    from a dev perspective, unless the company hands you specific integration requirements, the best you can do is follow best practices on a tech-by-tech basis, which means escaping SQL, and using https and only trusted crypto libraries for your language and so on.

    "industry best practices" might exist for sec researchers and consultants but as you see, its a joke at most places
  • 1
    @61164m35h that would be an excellent option if I had actually access to the source code. Yes you read that right. I don't have access to everything and most source code is locked away from the apprentices. I can tell my colleagues what they should do but I can't make sure they actually do it
  • 2
    @KittyMeowstika damn. What the fuck.

    I'm so sorry to see you spend your first year in a suboptimal place.

    Confirm what @Fast-Nop says and move on with it, you can still personally make it worthwhile. Remember we always learn more on our own than in our actual job (except in XR, we learn a shitload everyday :D).

    If you have no intention to quit: moving against the flow will only bring misery. Roll with the punches.
  • 0
    Run away into the woods
  • 0
    @gatorthepimp I wish I could. Changing workplaces while you're still an apprentice is quite hard
Add Comment