nobody confident in their own abilities is panicking
-
@krypt3ia @Viss That's my prediction: intense executive pressure is going to lead to a lot of budget being blown on vendors, and then people who're being asked to do more with less will run the risk of being scapegoated when it doesn't work as well as it did in the demo.
Not a new story in infosec but it's cranked up to 11 this time…
-
nobody confident in their own abilities is panicking
Infosec community panics over Anthropic Claude Code Security
ai-pocalypse: Not the first of its kind
(www.theregister.com)
the people who are panicking are signaling.
@Viss this is the "appsec is gonna save cybersecurity" shit all over again.
-
@krypt3ia @Viss That's my prediction: intense executive pressure is going to lead to a lot of budget being blown on vendors, and then people who're being asked to do more with less will run the risk of being scapegoated when it doesn't work as well as it did in the demo.
Not a new story in infosec but it's cranked up to 11 this time…
@acdha @krypt3ia my one hope is that all the yolo types, the ones who lied on their resumes to get infosec jobs, who cannot function without having to google everything or rely on a chatbot to do their jobs for them will have to admit defeat and crawl back to starbucks or wherever it is they came from
-
@Viss this is the "appsec is gonna save cybersecurity" shit all over again.
@Viss 5-10 years ago, companies that did appsec assessments were beating themselves off about how writing better code was gonna eliminate cybersecurity and yet, we're still here.
-
@Viss this is the "appsec is gonna save cybersecurity" shit all over again.
@da_667 the beatings will continue as long as people who dont know shit about computers continue to find themselves in leadership positions where they make the rules about how computers work and who can do what with them
-
@Viss 5-10 years ago, companies that did appsec assessments were beating themselves off about how writing better code was gonna eliminate cybersecurity and yet, we're still here.
@da_667 heh, i remember a bunch of folks saying how "solid technical controls will eliminate phishing"
then i remember saying "2fa will eliminate phishing"
then "totp will eliminate phishing"
then "zero trust will eliminate phishing"
then "okta will kill phishing"
then "facial recogition and fingerprints will eliminate phishing"
no - as long as you can social a human into clicking shit, phishing will exist.
-
@Viss 5-10 years ago, companies that did appsec assessments were beating themselves off about how writing better code was gonna eliminate cybersecurity and yet, we're still here.
-
@acdha @krypt3ia my one hope is that all the yolo types, the ones who lied on their resumes to get infosec jobs, who cannot function without having to google everything or rely on a chatbot to do their jobs for them will have to admit defeat and crawl back to starbucks or wherever it is they came from
@Viss @acdha There is nuance to be had here though. Sure there was a push for everyone to get into the cybers for the six figures, but, on the other side of it, there is just SO FUCKING MUCH to this field that no one can be a master of it all.
So, using Google is a feature that we all use. I can't vouch for the lying on resume's but, I think we have a problem in our community of being all the "smartest one's in the room all the fucking time"
-
@da_667 heh, i remember a bunch of folks saying how "solid technical controls will eliminate phishing"
then i remember saying "2fa will eliminate phishing"
then "totp will eliminate phishing"
then "zero trust will eliminate phishing"
then "okta will kill phishing"
then "facial recogition and fingerprints will eliminate phishing"
no - as long as you can social a human into clicking shit, phishing will exist.
-
@Viss @acdha There is nuance to be had here though. Sure there was a push for everyone to get into the cybers for the six figures, but, on the other side of it, there is just SO FUCKING MUCH to this field that no one can be a master of it all.
So, using Google is a feature that we all use. I can't vouch for the lying on resume's but, I think we have a problem in our community of being all the "smartest one's in the room all the fucking time"
-
@Viss @acdha There is nuance to be had here though. Sure there was a push for everyone to get into the cybers for the six figures, but, on the other side of it, there is just SO FUCKING MUCH to this field that no one can be a master of it all.
So, using Google is a feature that we all use. I can't vouch for the lying on resume's but, I think we have a problem in our community of being all the "smartest one's in the room all the fucking time"
@krypt3ia @acdha maybe i should clarify
i am very specifically referring to people who:
- do not have a technical background
- were formally hair dressers or coffeeshop folks, or oil changers
- who took 1 bootcamp class, or 1 'masters' course, and now want to be leadership or senior redteamers
- these people flatly cannot function without their crutches
- they should never ever have been let to be in charge of shit -
@krypt3ia @acdha maybe i should clarify
i am very specifically referring to people who:
- do not have a technical background
- were formally hair dressers or coffeeshop folks, or oil changers
- who took 1 bootcamp class, or 1 'masters' course, and now want to be leadership or senior redteamers
- these people flatly cannot function without their crutches
- they should never ever have been let to be in charge of shit -
-
-
@cR0w @da_667 thats another big angle too
2 years ago at securityfest i was at lunch and another presenter showed up. some js/npm guy. he laughed and gloated that he doesnt ever need to give a shit about the network or the OS because who cares? his js shit works and thats all that mattered. he openly flaunted being ignorant about how the shit that makes his entire world function is lame and he doesnt care about it.
its that kinda sentiment right there, that installs the rot
-
-
-
-
@jackryder @Viss @da_667 Even the fact that everything runs on GPOSs like Windows because it's easy is bad. Keep it fucking simple. Why should orgs have to mitigate so many vulns in services they don't want and don't need? Because it's easier for "engineers?" GTFO.
-
@jackryder @Viss @da_667 Even the fact that everything runs on GPOSs like Windows because it's easy is bad. Keep it fucking simple. Why should orgs have to mitigate so many vulns in services they don't want and don't need? Because it's easier for "engineers?" GTFO.
@cR0w @Viss @da_667 I've had that convo!
"We don't have resources to do it safely" is such a strange take for an organization that exists in the real world.
Timelines suck, vendors are charming, shareholders have crazy requests. It's a terrible cycle.
But cheating the cycle is lazy and just erodes the efforts of others.
