Read on Twitter
Are we doing this? Am I going to bust out the hot takes twitter thread? Ohhh boy oh boy. https://twitter.com/bettersafetynet/status/1298681433389752320
Where to start, where to start...
Snort 3 has been indev for a decade now. IDS/IPS technology has been dying a slow death since the Snowden leaks, with everything being encrypted by default, its gonna be dead on arrival.
Snort 3 has been indev for a decade now. IDS/IPS technology has been dying a slow death since the Snowden leaks, with everything being encrypted by default, its gonna be dead on arrival.
DNS over HTTPS is hot fucking garbage. Full stop.
Tor is trying to put a band-aid over a gaping wound and people whose life and death depends on the technology actually working "go get em tiger!" and watching them getting mauled by lions.
blockchain: or how I made my relational database cosplay as jabba the hut
SSL MITM/Decrypt is really really really fucking difficult to do at all, and even hard to do correctly to where it isn't a massive liability. tbh, I wish it was easier to do.
I won't argue that LetsEncrypt is convenient in that I no longer have to pay 10 bucks for an SSL cert that lasts an entire year, but no method of revoking certs from bad actors and passing that responsibility on to the users is really, really shitty.
its so bad these days, that any time I see a domain with HTTPS signed by LE, it's a heuristic flag for me.
Most of your next-gen EDR could be outdone by fucking sysmon, if anyone bothered to deploy it.
you're either paying for an EDR cobbled together by a handful of vb scripts, or you're paying for log storage. Sometimes, its both, and you get the benefit of none.
machine learning is a force multiplier, and a bad one that needs a lot of care and tending. Its no better than signature-based AV most the time, and actively worse when the training data has no idea WTF its looking at.
With the exception of handguns and tequila, the cloud has allowed so many cocksure people make such massive mistakes in such a very short amount of time. Best part is when the IT/sec department never know about it until your customers database is for sale on a random .onion
Getting certifications isn't a bad form of continuing education, but making them a requirement to get a job is the very definition of gatekeeping. Its your headhunters and/or hiring team being too lazy to actually interview candidates.
Most IT/infosec training is, objectively, awful. and holy shit is it overpriced. Which is why I say its okay as a form of continuing education, but not as any sort of a proof of prowess or skill.
sans, I love all the free shit you provide, I love all the guidance and webinars you put out, but the fact is, you're touted as the golden example of what training should be. I don't think a 7,000 dollar 1-week course should be the pinnacle we're aiming for but hey, its lucrative
and truth be told, its not the institute itself thats actually doing much, its the instructors that are pouring the hours in.
I know I'm picking on SANS here, but the fact that the sand reading room consists primarily of research papers written by students who will probably never reap any financial gain from the reports the industry benefits from is remarkably sad.
wanna know whats even worse than that? That the reading room consistently features some of the best security research without vendor bias fucking it up.
Most "white papers" are just ads for whatever company produced them and it irritates the fuck out of me.
Most "white papers" are just ads for whatever company produced them and it irritates the fuck out of me.
victim blaming a sufficiently large organization or corporation with a massive profit margin is perfectly acceptable. Its not victim blaming when there were 30 fucking webshells on that derelict JBOSS server.
thats called apathy.
Next RSAC, if there ever is another in-person RSAC, consider bringing in keynote speakers who are actually doing the fucking work, and not movie or TV personalities.
I'm not saying their voices aren't valid, but at a conference to discuss the latest security trends?
I'm not saying their voices aren't valid, but at a conference to discuss the latest security trends?
and yeah, before I get corrected about it being a boondoggle and vendor shitfest, I already know that. baby steps towards legitimacy, because doing shit the right way is too hard.
and while we're on the subject, blackhat allegedly climbed out of the primordial ooze that was DEFCON and the hacker community, then immediately turns around and allows anyone with a modicum of money to speak on whatever the fuck they want. The timecube fiasco was a mess.
and while we're on blackhat? remember the year you were gonna have that congress person as a keynote speaker and then others said that he implicitly believes that women have no right to bodily autonomy, then you gave a half hearted 'we're sorry you're offended' apology? fuck you.
don't bring politics into cybersecurity. Excuse the fuck outta me.
come again?
come again?
I don't get nor have I every understood why the fuck everyone clamors to those hacker spy toy vendors at every security con. Most buyers purchase the thing once, shit de-auths all over the con network once, get the top from con ops once, and never do it again.
you're probably not a pentester, and if you are, you probably don't do physical.
Spend your money however you see fit, but what in sam fuck are you doing?
Spend your money however you see fit, but what in sam fuck are you doing?
Remember most of those companies you promised to watch more closely when the NSA prism program was leaked? Most of you are happily giving them the keys to the kingdom once again, and this time are throwing away the key.
good example: web browser diversity. THERE IS NO WEB BROWSER, ONLY CHROME. Most of you were around for the 90s and were flipping your shit when internet explorer was the default web browser. But because its google, its okay?
google makes a unilateral decision to do a thing, and now because nobody shouted 'this is a bad fucking idea, and is ripe for monopolistic abuse' this is what we get stuck with: Mozilla's execs are fucking blind because all they care about is money, and the rest of us get chrome.
cloudflare? all my homies hate cloudflare. Fuck cloudflare. The fact that Mozilla, in its dying breath said that trusting nazi apologists with your DNS data was okay is just top shelf.
IM NOT EVEN DRUNK YET. THIS ISNT MY FINAL FORM.
got the Suntory Whiskey. Time to kick this up.
So, let's talk about.... ah yes. Biometrics.
They're all shit. Its all absolute shit. The best case scenario is using them for authorization NOT authentication. QUIT FUCKING DOING THIS.
They're all shit. Its all absolute shit. The best case scenario is using them for authorization NOT authentication. QUIT FUCKING DOING THIS.
They can't be revoked, they can't be replaced, the error rate on biometric shit is highly variable, and can result in violating a person's privacy.
While we're talking about auth, I will take SMS 2FA as a second factor of authentication over having no second form of authentication at all any day of the fucking week.
Its flawed, but telling me that its worse than a single factor of auth is fucking laughable.
we don't live in a perfect world, the users don't live in a perfect world, our customers don't live in a perfect world. and telling people to not use it all if there are no other alternatives is fucking irresponsible.
Don't ever have heroes in this community. NEVER elevate anyone you haven't met to that status. We have a serious shitbag problem in infosec right now resulting from hero worship because a couple of people made neat trinkets and they think it makes them untouchable.
nobody is above reproach, nobody is above being told off. your opinions matter. and you deserve respect. Don't let anyone take that from you. Don't let others abuse you because they're your hero. Don't have heros. Have people you can rely on.
I'm not a hero. I'm not your hero. I'm an irreverent shitposter who spergs WAY too much over virtual machines, and fucked a tank once. Shit hits the fan and I'm asked for help? Of course you know I'm there.
since it was requested, lets talk about gartner in the magic quadrants briefly.
Gartner and NSS labs are just a pay to play scheme wine an dine a few people, get them to tell you about what the test battery consists of, or what scoring criteria is...
Gartner and NSS labs are just a pay to play scheme wine an dine a few people, get them to tell you about what the test battery consists of, or what scoring criteria is...
and whaddaya know? you're an "industry leading solution" now.
Containers are 'works on my machine' at scale and marks and industry trying to abstract away the art of operations, performance monitoring, and understanding how shit really works under the hood.
Its made infrastructure easier to reach but so much easier for providers to exploit
Its made infrastructure easier to reach but so much easier for providers to exploit
this app no longer working? lol, delete the container and pull a new one. Fuck troubleshooting.
this app running slow? lol, pay for a bigger instance or more resources. Fuck performance monitoring.
this app running slow? lol, pay for a bigger instance or more resources. Fuck performance monitoring.
supply chain logistics: or how a put a cryptocurrency miner in your docker image and nobody gave a shit until their bill came in the mail.
for all of the shit people give wordpress, the usability is better than most of the static content generating shit I've been suggested over the years.
derelict wordpress deployment keep me employed. I guess I also just have shit taste in blog platforms.
okay. spearphishing bonus round: OSCP isn't exempt from the most security training is shit blanket hot take.
Ostensibly, you learn some cool things, then you get to play in offsec's 'CTF' environment that is broken in very specific ways, then write a report in one very specific format that nobody will ever read.
most pentesters don't fuckin re-write exploit code on the fly then pray that it does the thing. thats a good way to take down a prod environment and get shitcanned.
Lets talk about the ethics of tool release. Because I'm drunk enough to no longer care about anyone's opinion.
Releasing your tools all over the internet for any shit-eating skid to use is, in and of itself bad. Arguing that its to help improve detection is utter horseshit, unless you provide a viable mitigation, and even then, considering how many companies have no security department...
its still a shitshow. But considering offensive security pros who do tool releases will continue to do so (e.g. fuck you, I won't do what you tell me) and how pandora's box is already well and truly open, I no longer care about the ethics.
Point me to the janitor's closet. I have fucking trash to clean up, and it ain't gonna clean itself.
on another note, If you are responsible for exporting AV logs so they can be ingested by a SIEM, and your logs do NOT feature a sha256 hash, do not introduce yourself to me.
Its almost midnight, and I have been talking mad shit all night. If you have a subject you'd like me to talk mad shit about, have it, otherwise... I see that others have been formulating their own hot takes. Have fun.
remember, no matter how bad it gets, no matter how shit the hot takes are, we're all burned out digital janitors together.
