> Okay, I call bullshit. That which can be claimed without evidence can also be refuted without evidence.
Aside from the extreme rudeness, what evidence are you looking for? Do you want GP to attach sensitive or classified pen tests results here in public forum?
Pen tests are a requirement for any vendor doing business with the gov. Check out NIST 800-53 and the FedRAMP security process. It's much more intensive than SOC2 which is the standard in the commercial world. I think your information is about 10 to 20 years out of date.
Yikes, I don’t want to live in a world where calling bullshit is “obviously rude” but I’ll bite.
> Pen tests are a requirement for any vendor doing business with the gov.
What does this prove? Solar Winds, Colonial Pipeline (maybe more relevant here), etc.
Your search link doesn’t include anything about extensive penetration tests ensuring the security of these devices. That’s the claim. Where is the evidence?
Also calling someone’s knowledge “out of date” is a, dare I say rude assumption. But judging by your assuring in the security of government contractors I’d say your opinions are quite naive :)
> Yikes, I don’t want to live in a world where calling bullshit is “obviously rude” but I’ll bite.
Sadly, this is an is/ought problem. I don't want to live in a world with poverty and war either, but that doesn't make it fact.
> What does this prove? Solar Winds, Colonial Pipeline (maybe more relevant here), etc.
The point of pen tests is not to guarantee perfection. There are also ways to sweep things under the rug if those in charge are so inclined. But the existence of those things doesn't mean pen tests aren't done, or that nobody cares about security.
> Your search link doesn’t include anything about extensive penetration tests ensuring the security of these devices. That’s the claim. Where is the evidence?
Did you look at either of the first two hits? The first four indeed are evidence that the government does pen tests. The first hit is a government department that solely exists to do penetration tests[1]. The second one called "PENETRATION TEST GUIDANCE" is all the rules regarding how penetration tests must be done[2].
Ok your turn for evidence. What evidence do you have that all of those things are fake? Or that none of the compliance officers actually check it?
> Also calling someone’s knowledge “out of date” is a, dare I say rude assumption.
You're right, I apologize for doing that. I actually thought that was more charitable than the other possibilities, but it doesn't add anything to the discussion so should have been left out.
I don’t need to do research because I’m not the one who made the original assertion. You can’t throw around unsubstantiated claims but require proof from those who try to refute them; that’s not how it works.
“You can’t throw around unsubstantiated claims but require proof from those who try to refute them”
I am claiming relevant experience as my insider knowledge. What experience or proof do you have to back your refutation?
That’s how this works. When somebody gives you a peek behind the curtain while chatting, you don’t go and demand proof. You can ask for it nicely of course. That is the socially acceptable thing to do.
Your behavior is out of line given the casual and pleasant discourse before you showed up.
"When somebody gives you a peek behind the curtain while chatting, you don’t go and demand proof."
It is up to you as a communicator to establish your credebility so that people can trust your words and take your seriously. It's not a favour to the audience.
As far as I can tell, this gentleman has categorised you as a random dude at the bar making things up.
Let’s apply that here.
Guy at the bar is telling war stories, you aren’t sure He is telling the truth, sounds like a tall tale…
You never served in the army so you’re not sure… But your gut is telling you He is a liar.
What do you do?
Nothing. Because you are not in a position to know better. It’s your unsubstantiated guess against a possible lie.
If you are coming to the conversation in good faith, you don’t start with an accusation of lying. You share your doubts and ask politely for more information.
We’ll have to agree to disagree. Personally I think the key is to not use the word “bullshit” unless you’re already on good terms with someone. But you can call BS without using that word, if you’re certain your audience is easily offended.
Not caring if you offend someone? That’s also quite rude!
> I think the key is to not use the word “bullshit” unless you’re already on good terms with someone.
Yes, agree 100%. When you're busting balls with your friends it's perfectly fine, but when it's a stranger online who doesn't know you at all and is likely from a very different culture, it's not a good idea to respond that way, unless you want to offend.
Aside from the extreme rudeness, what evidence are you looking for? Do you want GP to attach sensitive or classified pen tests results here in public forum?
GP's claim is so obviously true that I don't see why they would need to provide "evidence," but you can find a mountain of it yourself with a single duck: https://duckduckgo.com/?q=us+government+penetration+tests&at...
Pen tests are a requirement for any vendor doing business with the gov. Check out NIST 800-53 and the FedRAMP security process. It's much more intensive than SOC2 which is the standard in the commercial world. I think your information is about 10 to 20 years out of date.