I would adjust your analogy to describe the new state as 1600m^3 of grain mixed well with 5000m^3 of rabbit shit. I’d be happier if the AI generated, SEO garbage was somehow isolated “in the room next door”.
Is there a law that prevents a company from firing you if you can't get a clearance?
I've seen job postings with something like "the ability to acquire and hold a [Top] Secret security clearance is required for this position". Is this illegal or necessary to be able to fire someone because they couldn't get or lost their clearance?
I think that a better strategy is to make the work that requires a clearance as "small" as possible. Consider two contractors:
Contractor A does everything in a closed area. All software is written, built, and tested on classified information systems. In this situation, it is impractical to move anything out, regardless if the software is actually classified. It's easy to move things back and forth between the developer's machines and the (necessarily) classified test/production system, but now you have the problem from TFA: you can only hire cleared employees or you eat the cost of them doing nothing useful for ~1 year.
Contractor B has arranged things so that the work that has to be done in a closed area is only on the specific information that _must_ be classified as described in the security classification guide for that program. Depending on the program this could be a small software library or even a configuration file. Interns and first-year employees can work on the majority of the system with dummy/stub libraries and fake data, then hand their work over to cleared employees for further testing in the closed area (if that is even necessary for the work at hand). It is not very hard to move software from an unclassified to a classified area. It is harder to move test results from a classified to an unclassified area. A description of what happened when an unclassified piece of software runs in a classified environment _can_ be sanitized and still leave all information necessary to continue work outside. Aside from the situation described in TFA, this also reduces the "it is miserable working in the SCIF" retention problem.
It requires work to arrange things in this way, but not much more work if the software is written using best practices. Maybe this strategy only applies to software development. There are other professions out there I've heard. :)
I'm not sure I understand all of the nuances here (I'm no webmaster), but this is covered in the documentation you linked:
> You must configure page rules to allow Cloudflare to fetch only your Backblaze B2 bucket from your domain. ... Otherwise, someone could use your domain to fetch content from another customer's public bucket. To ensure this does not happen, Cloudflare lets you use page rules to scope requests to your bucket.
The example shows leaving your bucket name in the url as a way to filter out requests to other bucket names. If you want your static site to have http://mysite.com/bucketname/index.html then I guess that's ok. But again, careful configuration and still not for every situation.
I'm sure you can layer more rules to get it exactly right but I'd not be eager to layer on complex configuration through multiple service providers when it is avoidable, unless there is some very compelling overriding reason.
As far as I know, bucket names must be unique at other providers like AWS as well. [0]
I'm no expert but to try and protect my own domain, I use a transform rule to match a subdomain and append "/file/$MY_BUCKET_NAME" to each request. This should return a 404 for anybody who tries to inject their own bucket in the path. I could be wrong of course.
Bolting a Cloudfront distribution onto a S3 bucket is pretty well-trod territory, though, and doesn't have these sharp edges. (Has a couple other ones, but they're less common.)
Does the solution involve using Cloudflare workers? Because, as I said, I'm sure it is possible but maybe we've gone off the deep end a bit. Just how crazy of a configuration do you want just to serve files from an object store?
This looks like an awful lot of setup for "easily solved". Easily solved is what S3 does where this isn't even a problem.
I was surprised by the volume of the handbook material that applies to the role of CEO shadow. To me it implied a high level of formality and expectation of rigid adherence. Then I found this:
> CEO shadows label the handbook MRs they create with the ceo-shadow label. It's a point of competition between CEO shadows to try to best the previous shadows' number of merge requests.
I am no longer surprised by the length of this section of the handbook.
Using Chrome and it is very slow to load. Never timed it. Worse than the slow loading time, for me, is there is no indicatio when it is ready for business. If I try to interact with it without waiting about 10 seconds, it sometimes locks up and I have to reload the page. Very snappy afterwards, if I have some initial patience.
reply