Rambling on
Now some more blabbering about shit.
I have always seen myself as the “new guy”, the everlasting n00b I get impressed when people mention they have worked the sec circus for 12-15 years. I’ve felt like the n00b ever since I was annoying the HELL out of opers on IRC back in the 90`s with all my questions, even if those things pushed me into the world of “security” I mean, you are not online if you are pinged out or if your server has split from network because of floods. Nick collides, G-Lines, Split rides, lewdness, badness, probably some things in a really really “grey area” was needed to get knowledge about to be able to do what at the time was something that took alot of both my awake hours, but also supposed to be asleep hours while digging a hole in the wallet for exessive hours on dialup (well got fiber in late 98 so it eased up abit).
Still I am utterly and totally in awe of all those girls/women/guys/men in cyber/information security who makes a living out of what is essentially a hobby of mine, even if I have been professionally in it since, well for a long time.
At times when I am checking the “interconnected supah dupah fly information highway” or reading through twitter (as if thats not I-net?) the feeling strikes me that DAMN these people knows shit.
But thinking about it abit (curing my imposter syndrome here) I find a few bits and pieces that I actually have some knowledge about. Looking at it with those eyes, yeah sure I could probably write a few lines every now and then, but then I go back to being shy (really uncharacteristic for me, ask anyone).
But we need to get our shit together!
An itching part for me is when something isn’t really charted out correctly or to it’s full content, it seems that every tweet about something is done to impress the C-level or the next employer or to come out as really 1337. The complex things seems to be left out, it is as if there is a feeder frenzy for the mainstream person or media. Almost as if the goal is to get to be recognized for knowing stuff, not actually doing everything to make shit better. This nags me quite a lot which is hard for someone like me who`s kinda on the “aspergish” side of things, frankly I do not get that game you are playing.
To give an example; Whooo “Insert Companyname Here” has a CVSS 10 which is really really bad, but also friggin basic to fix, just patch/reconfigure.
Most of the time those issues are people problems, PATCH NOW! Reconfigure!
It takes some “balls” to just reply to the business owner:
– I do not care if you for a few mins loose connection, We are fixing something that can put us out for good, you can thank me later.
Here the “all nodding pros” are tweeting out this, as if it is a hard one, normally quite a few are so full of it they almost can’t write since at least one of their own hands are patting their own back. Not so seldom one also read some “cocky/nosey/arrogant” lines whereas it seems all business owners are asshats who are negligent towards the issues with security, often these arrogant bastards are pointing fingers or arguing loudly of how worthless such businesses are, probably the reason these securityleets aren’t patching/reconfiguring is that they got lucky and didn’t have exactly that device (this time).
The complex things doesn’t get much airtime, this baffels me to the point it is getting me to spend time writing about it. For instance the Ripple20 happening with “19 Zero-Day Vulnerabilities Amplified by the Supply Chain”, this mostly just flew by. Noone cared much since it is too complex, it hit not a single vendor but a long series of vendors, just checked the jsof page and there are now 23 confirmed vendors and 71 pending with the vulnerable version embedded in devises/appliances/sensors/anything, 25 vendors not affected and 3(?) low-risc affected.
https://www.jsof-tech.com/ripple20/ if you wanna read some more.
These things bugs the crap out of me, I am still flabberghasted from most of the names who tweets and appears in media and conferences, but hey! we do need to address Security issues, not address things that builds our personas.
We need to fix the things that are broken, even if it is a complex problem with no easy fixes.
Supposedly we are all professionals in the area of competence called Cybersecurity / Informationsecurity but we need to make things get better.