nobody confident in their own abilities is panicking
-
@Viss this is the "appsec is gonna save cybersecurity" shit all over again.
@da_667 the beatings will continue as long as people who dont know shit about computers continue to find themselves in leadership positions where they make the rules about how computers work and who can do what with them
-
@Viss 5-10 years ago, companies that did appsec assessments were beating themselves off about how writing better code was gonna eliminate cybersecurity and yet, we're still here.
@da_667 heh, i remember a bunch of folks saying how "solid technical controls will eliminate phishing"
then i remember saying "2fa will eliminate phishing"
then "totp will eliminate phishing"
then "zero trust will eliminate phishing"
then "okta will kill phishing"
then "facial recogition and fingerprints will eliminate phishing"
no - as long as you can social a human into clicking shit, phishing will exist.
-
@Viss 5-10 years ago, companies that did appsec assessments were beating themselves off about how writing better code was gonna eliminate cybersecurity and yet, we're still here.
-
@acdha @krypt3ia my one hope is that all the yolo types, the ones who lied on their resumes to get infosec jobs, who cannot function without having to google everything or rely on a chatbot to do their jobs for them will have to admit defeat and crawl back to starbucks or wherever it is they came from
@Viss @acdha There is nuance to be had here though. Sure there was a push for everyone to get into the cybers for the six figures, but, on the other side of it, there is just SO FUCKING MUCH to this field that no one can be a master of it all.
So, using Google is a feature that we all use. I can't vouch for the lying on resume's but, I think we have a problem in our community of being all the "smartest one's in the room all the fucking time"
-
@da_667 heh, i remember a bunch of folks saying how "solid technical controls will eliminate phishing"
then i remember saying "2fa will eliminate phishing"
then "totp will eliminate phishing"
then "zero trust will eliminate phishing"
then "okta will kill phishing"
then "facial recogition and fingerprints will eliminate phishing"
no - as long as you can social a human into clicking shit, phishing will exist.
-
@Viss @acdha There is nuance to be had here though. Sure there was a push for everyone to get into the cybers for the six figures, but, on the other side of it, there is just SO FUCKING MUCH to this field that no one can be a master of it all.
So, using Google is a feature that we all use. I can't vouch for the lying on resume's but, I think we have a problem in our community of being all the "smartest one's in the room all the fucking time"
-
@Viss @acdha There is nuance to be had here though. Sure there was a push for everyone to get into the cybers for the six figures, but, on the other side of it, there is just SO FUCKING MUCH to this field that no one can be a master of it all.
So, using Google is a feature that we all use. I can't vouch for the lying on resume's but, I think we have a problem in our community of being all the "smartest one's in the room all the fucking time"
@krypt3ia @acdha maybe i should clarify
i am very specifically referring to people who:
- do not have a technical background
- were formally hair dressers or coffeeshop folks, or oil changers
- who took 1 bootcamp class, or 1 'masters' course, and now want to be leadership or senior redteamers
- these people flatly cannot function without their crutches
- they should never ever have been let to be in charge of shit -
@krypt3ia @acdha maybe i should clarify
i am very specifically referring to people who:
- do not have a technical background
- were formally hair dressers or coffeeshop folks, or oil changers
- who took 1 bootcamp class, or 1 'masters' course, and now want to be leadership or senior redteamers
- these people flatly cannot function without their crutches
- they should never ever have been let to be in charge of shit -
-
-
@cR0w @da_667 thats another big angle too
2 years ago at securityfest i was at lunch and another presenter showed up. some js/npm guy. he laughed and gloated that he doesnt ever need to give a shit about the network or the OS because who cares? his js shit works and thats all that mattered. he openly flaunted being ignorant about how the shit that makes his entire world function is lame and he doesnt care about it.
its that kinda sentiment right there, that installs the rot
-
-
-
-
@jackryder @Viss @da_667 Even the fact that everything runs on GPOSs like Windows because it's easy is bad. Keep it fucking simple. Why should orgs have to mitigate so many vulns in services they don't want and don't need? Because it's easier for "engineers?" GTFO.
-
@jackryder @Viss @da_667 Even the fact that everything runs on GPOSs like Windows because it's easy is bad. Keep it fucking simple. Why should orgs have to mitigate so many vulns in services they don't want and don't need? Because it's easier for "engineers?" GTFO.
@cR0w @Viss @da_667 I've had that convo!
"We don't have resources to do it safely" is such a strange take for an organization that exists in the real world.
Timelines suck, vendors are charming, shareholders have crazy requests. It's a terrible cycle.
But cheating the cycle is lazy and just erodes the efforts of others.
-
@jackryder @Viss @da_667 Even the fact that everything runs on GPOSs like Windows because it's easy is bad. Keep it fucking simple. Why should orgs have to mitigate so many vulns in services they don't want and don't need? Because it's easier for "engineers?" GTFO.
@cR0w @jackryder @Viss @da_667 Because it’s easier to support if everything is installed and turned on by default. You don’t get pesky users calling saying, “Why isn’t this working?” Fewer support calls saves money.
We were fighting this battle in the OS during my Center for Internet Security days back in the early 2000s and made some progress as far as default installs. But entropy is gonna entropy.
-
nobody confident in their own abilities is panicking
https://www.theregister.com/2026/02/23/claude_code_security_panic/?td=rt-3a
the people who are panicking are signaling.
@Viss What I am not confident in is the ability of tech CEOs to prioritize delivering products that are not pure shit.
Delivering quality vs. delivering pure crap at a much lower cost?
-
nobody confident in their own abilities is panicking
https://www.theregister.com/2026/02/23/claude_code_security_panic/?td=rt-3a
the people who are panicking are signaling.
@Viss The real victims here are the juniors and people recently entering a new field. LLMs teach you nothing (you have to do the learning yourself, like you always do), yet they give the illusion of productivity. The game is rigged so that junior devs are rewarded for pretending to gain understanding, when all they do is lean on the LLMs and hope they don’t fuck up.
-
nobody confident in their own abilities is panicking
https://www.theregister.com/2026/02/23/claude_code_security_panic/?td=rt-3a
the people who are panicking are signaling.
@Viss Hey now, Claude found an SQL injection in my code and I like to think I have a pretty good practice of secure coding.
It thinks the statically typed i32 is an injection vulnerability and wants to fix it with more than a hundred lines of crud because it doesn’t understand how to make parameterized statements in my SQL library. It also made all of that crud public API in ways it could easily be called out of order and make new state issues. But that’s exactly the point.
