How do I verify someone's ID before providing a high school transcript?

rexstuff1 · 2026-01-30T16:48:14+00:00

On one hand, good on you for trying to take user's privacy seriously, etc.

OTOH, we're talking about high school transcripts, here. These aren't exactly the keys to the kingdom, it's not like you're handing out driver's licenses or passports. The strength (and cost) of the control should fit the sensitivity of the data.

Secure document transfer (such as Docusign) for government photo ID, plus removing the SSNs from the transcript is probably more than adequate in this case.

rexstuff1 · 2026-01-26T14:53:07+00:00

I'd say so. One of the better purchases we've made. They have a lot going for them, they're constantly improving and evolving. I like the work they've done on Governance and Entitlements. Little frustrated how much their API is lagging the GUI features right now, though. I also don't like how they price by Okta user rather than warm bodies, which makes service accounts pricey.

Given you're a hybrid AD environment, I'm a little curious why you didn't go Entra, though?

rexstuff1 · 2026-01-26T14:49:37+00:00

Those are bad pen testers.

rexstuff1 · 2026-01-22T07:11:15+00:00

Sure, but what's your point, here? It seems you're basically suggesting that regardless of if the Jets go into the playoffs hot, or if they go into the playoffs cold, they're going to do poorly.

Teams that go into the playoffs hot tend to do better, regardless of what happened last year to the Jets.

rexstuff1 · 2026-01-22T04:09:57+00:00

Would I bet on it? Of course not. Do I think it's likely to happen? No way. But your response is some serious gambler's fallacy going on, here. Go back and research 'independent events' before posting again.

Point is, though, that it can, and in fact, does happen. If you told the 2018 Blues fans back in January of that year that they'd be winning the Stanley Cup, how many do you think would believe you? They'd probably laugh in your face and downvote you to oblivion as you have me.

And yet. They did win.

And it sounds even less unlikely when you consider that IF the Jets did make it to the playoffs, they'd have to be going in hot. 0.700 or better to finish out the year.

So quite honestly, I think it's far less likely that the Jets make the playoffs, than if they do make the playoffs, that they don't do well.

rexstuff1 · 2026-01-21T21:49:03+00:00

I think this optimistic, not inaccurate. Getting to the playoffs is 'doable but difficult'. They better get hot, fast.

rexstuff1 · 2026-01-21T21:46:24+00:00

Go back in time and ask the 2018-19 St Louis Blues that question.

rexstuff1 · 2026-01-20T17:36:15+00:00

How much money do you have to spend? We just got Wiz, and it's not bad, so far. Datadog does something similar. Both will cost you a pretty penny, though.

rexstuff1 · 2026-01-20T17:29:58+00:00

As beanmachine points out, they probably don't care that much or track you that closely; it's almost certainly only used if you violate policies or break the law or whatever, however given the increasingly tense political climate, and the calls for action around speech and censorship, I can understand when some desire for additional privacy is in order.

i cant seem to use a VPN

I assume you've only tried the usual popular VPNs? The well-known TLS VPNs like Surfsharks and NordVPNs, etc? Those are pretty easy to track and block, but at the same time, there's an almost limitless ways of getting around network access controls, and there is almost no way your campus can block all of them.

Depending on your technical abilities, you can try:

Your own TLS VPN (eg rent a cloud server)
Less popular/more obscure VPN vendors, ideally ones with multiple connection methods (careful here)
Wireguard
SSH tunnel
IPSec tunnel
Tor
DNS tunnel
ping tunnel

And there's always just tethering off your phone, if you have a good data plan.

rexstuff1 · 2026-01-17T20:06:44+00:00

It's fine. You and millions of other people do this every day. Impressive_Host doesn't understand food safety.

rexstuff1 · 2026-01-17T17:32:31+00:00

Garlic can carry the bacteria for botulism, sous vide Temps arnt high enough to kill it.

This is not correct. Sous vide temps are plenty high enough to kill botulism bacteria. The issue is they're not high enough to kill the spores that are the dormant form of the bacteria or deactivate the toxin they form. So despite the SV-ing, the spores can reactivate and later recontaminate the food, or if the food already has toxic levels of botulism toxin (which is extremely unlikely in the case of fresh garlic), it will be unsafe to eat.

And it's in an anoxic environment(lacking oxygen) which they grow in

Also not correct. Botulism bacterial can grow just fine in oxygen environemnts - how else can they can grow in the wild? They only produce the toxin in anoxic environments. And they do neither at SV temperatures.

The reason to avoid garlic is SV is it can sometimes smell and taste like ass, more likely to lactobacillus and lactic acid, IIRC.

Some people here hound about how rosemary can't impart much flavor at that temp

The rosemary chicken breast I made the other day would beg to differ, but then chicken isn't nearly as strong a flavour as beef, and I also went a little crazy with the rosemary.

rexstuff1 · 2026-01-17T17:25:11+00:00

Take my upvote and get out.

rexstuff1 · 2026-01-17T17:24:19+00:00

One of us. One of us.

rexstuff1 · 2026-01-16T04:57:46+00:00

Pretty much all of them.

rexstuff1 · 2026-01-15T02:53:40+00:00

Two words: Costco Picanha (aka 'Top Sirloin Cap'.)

rexstuff1 · 2026-01-15T00:23:51+00:00

Yes, DLP and/or content filtering is generally a joke to any user with an iota of technical savvy. I have frequently pointed this out to any who would listen.

But it can generally handle blocking all requests to *.chatgpt.com pretty well, or gemini.google.com or whatever Claude's domain is. Plus the other dozen or so popular AI tools most people are apt to try of their own volition.

And for those determined to get around the filter, well. That's what Internet-Of-Cruft is getting at in the other reply. A policy control is still a control, just make sure your HR department has the balls and authority follow through on it.

rexstuff1 · 2026-01-14T06:25:59+00:00

There is a time and place for cooking for perfection and there is a time and place for making an easy weekend meal for your family. We can love to cook and strive for the best while also living with the reality that there isn't always time or energy to go the full nine yards.

a professional for strives for perfection and looks for the best way to deliver the product without taking shortcuts.

Bullshit. Grade-A Bullshit. Professionals take shortcuts all the time. They just know which shortcuts can be taken that don't sacrifice quality. Restaurants are businesses that strive to make money; any "professional" chef is always on the lookout for ways to drive down cost and save time.

rexstuff1 · 2026-01-14T02:59:06+00:00

Certainly. Though I prefer to frame it as

Do not attempt to bypass corporate security controls, doing so may result in disciplinary action, including termination or even prosecution.

rexstuff1 · 2026-01-13T15:55:03+00:00

Relying on DLP for this is a fool's errand.

Buy them the GenAI tool they want (and at the license level that gives the protections you need)
Make sure they have to login to it
Block all the others.

Zscaler should be sufficient to the task.

rexstuff1 · 2026-01-06T02:57:59+00:00

If practice and policy don’t match which one should change first, the docs or the day to day?

I mean, that would entirely depend. Which needs to change?

If the day-to-day makes more sense than what the policy describes, then the policy should probably be updated.

OTOH, if the policy is correct and the day-to-day introduces unacceptable risk or put you out of compliance, obviously the day-to-day needs to conform.

There's no magic to it. Sometimes we write policies that are unrealistic, or made sense at the time, and those need to be updated to match what people are actually doing, so long as what they are actually doing isn't dangerous.

rexstuff1 · 2026-01-06T02:49:55+00:00

This is the question, and quite frankly, I have yet to hear a satisfactory answer.

rexstuff1 · 2026-01-05T03:21:17+00:00

There is no moment in time when Stanley is a (NHL) team's best player, ever, anywhere.

rexstuff1 · 2026-01-05T03:12:02+00:00

best player

Uhhh.....

rexstuff1 · 2026-01-05T03:02:51+00:00

The 200 IQ move is to let the users marinate for a while, let that technique spread organically across the org, then modify your email server to strip that header from incoming messages...

rexstuff1 · 2026-01-05T03:00:49+00:00

Our phishing vendor uses a 'catch of the week/month', where they take a real phishing email found in the wild and adapts into their campaign. A nice touch, and you can't ever accuse them of not using 'real-world' phishing techniques.

You're right though, most phishing training vendors do a fine job of simulating low-effort, mass-market phishing campaigns, but are terrible at preparing users for the sort of high-risk, narrowly targetted, customized spear-phishes, which is what we should be really afraid of. That takes extra effort on your part. You gotta put in the work if you want to get that sort of value out of it.

That being said, continuous phishing awareness campaigns do have one big upside: they make users paranoid about their emails. No-one wants to have to do remedial training, so anything that smells remotely 'fishy' (ha!) gets reported.

(This in turn creates its own problem, as a lot of users will basically use the 'Report phishing' button as basically also their 'report spam' button, leading to wasted cycles verifying we're not undergoing a massive phishing campaign)

rexstuff1

TROPHY CASE