Reader

A tickle, a nuzzle against my neck. A breath. A sigh. I can't move, but I feel the slow, steady rise and fall of my chest. My eyes stay closed. I'm suspended, hovering, hesitating as each side pulls gently. My arm slips and I feel the smooth, muscled warmth of your thigh as you wrap your legs around me from behind. Familiar. You touch my shoulders and slip your hands under my arms. Trembling, my heart thrums, spilling warmth. Smiling, I nod so slightly I'm not sure you noticed. Your exploring hands answer by reaching between my legs, your mouth answers with teeth on my neck. A moan. Not sure if yours or mine. I long to turn around, to close my eyes enough that I can see you, know you, but my arm is asleep. And I hear the fan. My breathing is fast and shallow. I'm lying on my back. Awake. Alone.

I long to see you, to know you, but my body, my mind can't stay there, in the fugue, the twilight, the in between. Do you miss me when I wake? When I sleep and dream? Do you watch from invisible crevices, hiding in shadows, hoping I will remember how to find you? Do you know my True Name? My purpose? I am incomplete. I feel it every day. Something was lost, is missing. I cannot name it or describe it, but you are part of it. Maybe all of it. You will find me and drag me down to the Deep Waters and we will love for eternity. What is one lifetime to wait? Nothing. If I were ignorant; if I didn't know. But I do know. Each touch, each time, each brief moment together fills me with joy and peace before draining me, cruelly, against my protests. I'm not done here, but I wake up empty just the same. I wake up crying and forsaken. I love again and again. I struggle and learn. I hope for meaning that will never be revealed. I make a good life here. I love, I strive, I share. I am not alone. You can see that. But it's not the same. These feelings pale to The Before and The After. Is it time I'm supposed to appreciate? And it's passage? For us, a moment was forever and the universe a drop of water. For me, here, without you, time is a prison.

#WhenIDream #Dreams #Dreaming #Dreamlands #Writer #Writing #Writers #WritingCommunity #ShortFiction #Fiction #Paranormal #NightTerrors #SleepParaylsis #HypnagogicHallucinations

CC BY-NC-SA 4.0 This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

I recently found out I have stage two high blood pressure, the level just below a hypertensive crisis. My blood pressure is between 160 and 165 (systolic) and 100 and 108 (diastolic).

I should've known. For a few months, I felt a few chest pains occasionally, but I attributed them to fibromyalgia and the stress it has brought into my life. I was wrong, so very wrong. If you feel your chest hurts, see a doctor ASAP. Don't be a dumbass like me. Moving on...

A high and irregular heart rate was detected during routine exams by the end of 2023. Further exams concluded it was a mix of high blood pressure and arrhythmia. Yay for two health issues that can cause a heart attack. I guess I didn't have enough health issues and needed two more... ŧ߀» ←»↓𶢔ŋ

Speaking of heart attack, just a few days ago, I got a glimpse of what that might feel like. After a very stressful event, I felt a lot of pain in my chest, it seemed like my heart was being squeezed, and my arms began to feel numb. It was terrifying! I was terrified! I had to take an extra pill for the blood pressure and do breathing exercises, and even then, it took almost two hours to start to get some relief. I was an inch close to calling an ambulance.

The next day, I began thinking about how to avoid stress. I don't fool myself: I know I can't completely avoid stress. However, I can do something to reduce the number of stressful situations. How I'll do it, that's the question. I have a few ideas, some more radical than others: do yoga, stop smoking, or cut some people out of my life. But I haven't decided on any. I need to think more about it and maybe even do some readings.

If you have some suggestions, feel free to ping me on Mastodon. My handle is @brunomiguel@masto.pt.

#Health #Stress #HighBloodPressure #Heart

I'm a Football Manager player. You probably already read a blog post I published about this game series. Despite playing the game for years, I haven't done a true journeyman save. I've had saves where I start in the lower division available in a country and take the team to win the Champions League, but not one of these. I attempted to do one a while back but stayed at the first team I managed – task failed successfully. I'll explain what a journeyman save is for those who don't know. You create a save game where you start unemployed, apply to whatever manager roles are available, and manage whatever team offers you a contract (if you get more than one offer, you are free to choose whatever team you prefer). If you want to terminate your contract and/or apply to another team, you are free to do so. Of course, you can do this in any save, but most players start with a team and keep managing it.

For this save, I loaded Germany, Belgium, England, Portugal, Spain, Denmark, France, Italy, Norway, The Netherlands, and Sweden's main divisions. I would've loaded lower divisions from these countries with more RAM and a faster CPU because I would've had a very slow gaming experience if I had done it with my current hardware. Loading several countries forced me to start as a professional manager (you can start as an amateur manager if you choose to), or I would have stayed unemployed for a long time, and I didn't want that.

There were a few teams with no manager, including Ajax. I applied to all of them, but Mechelen, from Belgium, was the first to offer me a contract and accept my terms. The team is weak, but thankfully, the other teams from the league are not world-class, so I've managed to stay in first place with eight games played so far.

As with every weaker team I manage, my strategy is to get players without a contract and on loan from other clubs. To earn revenue, I try to win as many trophies as possible and sell performing players so that I can then replace better players on free transfers or loans. Keeping the wages in check is another thing I have to do, or the club's finances will suffer.

This season's objective is to finish in a position that allows me to play European football, hopefully in the Champions League, and at least reach Belgium's cup semi-final. I know these are hefty objectives, but I play to win as much as possible. I already secured some players on loan that improve the squad quality, and I have two future free transfers that will also increase the grade of the attack, an area the team lacks in quality.

#FootballManager #FM #Gaming

Earlier this week, someone asked me for my top 5-10 things I would recommend to an organization lifting & shifting workloads to public cloud. I thought that was a good starting point. “Refactor” for cloud-native is the common answer, but the reality is that everybody lifts & shifts, so why not recognize that.

So, here are my top 5... and I'll add a sixth as a bonus.

1. Centralize and automate cloud account creation and billing, and ensure that all are in your public cloud Organization. This will allow you to apply policies centrally, and more easily deploy cloud-native security tooling.

2. Apply cloud guardrails at that Organization level to apply basic preventative controls and make your cloud accounts behave more secure-by-default. These are likely the cheapest and most effective security controls you can apply to enforce logging, encryption standards, network restrictions, MFA enforcement, etc.

3. Get a Cloud-Native Application Protection Platform (CNAPP). This can be deployed via Organization policy and provides broad visibility to your cloud estate, across providers and for multiple use cases, including asset discovery, CSPM and vulnerability management.

4. Related to that, while lifting & shifting your workloads, resist the urge to lift & shift your secure tooling from the data center. Look at what the CNAPP gives you, and see whether you may not be able to rationalize your security stack, retire point solutions you no longer need, and reduce cost.

5. Cloud APIs give you the opportunity to describe the infrastructure and services you want and have the cloud materialize that for you, rather than do everything yourself. It is designed for automation. Use Infrastructure-as-Code (IaC) to create your infrastructure, network and service configuration, create compute instances and deploy your VM images. IaC allows you to redeploy from known-good state, which accelerates patching, system configuration and restoration, while making deployments more predictable.

The Cloud is Metered

One bonus recommendation, given the difference between owned and rented compute, network and storage resources. Remember that everything in the cloud is metered and that your architectural choices have potential significant cost impacts. Don't size like in data centers with head room to spare. Figure out what your workload needs. Smaller instances but many of them may be cheaper than fewer large instances. If the workload is variable (seasonal, variable during the day), consider autoscaling. If the workload is static, use reserved instances at lower cost.

And after you have done all that, feel free to refactor!

Test

Hello

This is an example.

2023 has been a huge year for me, for many lows in my career, as well as amazing highs. However I’ve always felt something missing, an urge left unscratched, so I’m making this post to plan out my 2024 personal projects and learnings that I want to undertake; a sort of “reflection journal” if you will.

Throughout 2024, I plan to revisit this post to reflect on what I’d like to achieve and how I’m tracking in achieving my goals. This will be followed up with a post detailing how everything is going, what my highlights have been and any potential blockers I’m facing. So, let’s begin with the goal setting!

In no particular order: – Publishing 2-3 articles on my security blog: I’m already in the draft stages of 1 post, however I got lazy and sort of lost interest. Once I can get that closed off, I have a feeling the rest will come more naturally and I should be able to achieve this quite comfortably. – Filling out my repo with content: Standing up my repo and filling it with content is a huge item on my list for the coming year. This will not only help my personal understanding of my security work but also give me something tangible I can use throughout my career. – Filling up my Wazuh instance with agents and directing logs to it via Syslog: Mid-2023 I stood up a Wazuh instance on my internal network, on a Raspberry Pi 4. Currently, I only have 1 agent connected to it and I don’t check it nearly as often as I should. Going forward, I want all computers to have agents installed, and gather logs from my IoT devices to ensure nothing dodgy is connecting to my network. On top of this, working on automations so I don’t have to check things manually will be a huge assist. Having an internal SIEM isn’t something I’ve stood up because I’m paranoid, rather it will help me gain skills across other platforms to help further my career. – Stick to a fitness plan: Looking after my health isn’t something that’s been top priority for me through my 20s, but with 30 fast approaching I’m starting to feel the repercussions of not taking it seriously. In 2024, I want to become much more disciplined with my health, going for runs, lifting weights and generally being more healthy so I’m around on this Earth for as long as possible.

Here’s to a prosperous 2024, for everyone! 🥂

Why I won't buy Androids

I was talking about new phones with a friend a few days ago, and he asked about Android choices. I told him I won't buy any Androids, for a bunch of reasons. This is social media, I'm into my second boozy eggnog. I figure I'll share those reasons here too. Most of the reasons are around Google itself, and some how it's handled Android. Only one is because I'm a petty bitch with a collection of heirloom grudges.

First and foremost, Google is an advertising company with a search engine and a browser and a video hosting service and a mobile operating system all designed to keep your eyes and ears on their advertisements. For FY2022, 80% of Google's revenue came from advertising. Given the lengths I go to avoid ads everywhere else, putting a little ad machine in my pocket doesn't make much sense.

Aside: I go to extreme lengths to block ads. I have a very aggressive PiHole setup. My daily browsing is through Vivaldi (which has a built-in ad blocker) (But the new Direct Match stuff defaulting to On is pretty fuckin' shitty, Vivaldi) and also running an over-packed μBlock extension. Secondary browsing goes through Firefox with a similarly-configured μBlock. I also have a WireGuard VPN running on my iPhone so whenever I'm not on my own WiFi network I'm tunneling back in just to use my PiHole. Vivaldi on iPhone also has a built-in ad-blocker.

Besides the ad biz, I don't trust Google overall. It started with Google Reader, but Google is quick to drop the blade on the neck of any product/service/app that doesn't have a VP championing it. The other recognizable names include Google Wave, Google+, Google Fiber, and Google Stadia. What's going to be the 300th entry in the Google Graveyard? They're at 293 right now, so I expect we'll hit 300 by April 2024.

Zooming back out to the state of the internet today, I honestly think Google and Facebook are tied for doing the most damage to the internet and society at large. Their pervasive advertising is enough for me to stay far away from them. But their stains run far deeper. Google Search is now completely useless. Everything is a webpage now. I've lost count of the companies they've either acquired and killed or cloned and killed. They've built data profiles to rival Facebook. And Youtube will gleefully auto-play viewers into misogyny, conspiracy, and rightwing fascism.

On Android specifically, Google has been an exceptionally poor steward of the ecosystem. Flagship devices now get a few years of updates, but anything down-market may get a year of updates before being forgotten like the fifth child at an after-school activity. Google could enforce feature and security updates for a minimum period of time, but they've chosen not to. And it's only improved to the shameful level now somewhat recently.

And they've been spreading this fast-fashion/ewaste-speedrun philosophy to the laptop formfactor too. They're goddamned laptops, not milk. I have an Alienware M11x R1. It's from 2010. It still runs Windows 10. Poorly. But it can still get OS and security updates 13 years after release. It's a functional print server for my old Brother laser printer that I bought in ~2007 that only has a USB-B interface.

Beyond the shameful state of Android updates, the Google app store is a fraudulent mess. It's been a problem for years and it's still a problem today. It's impacted millions of users at this point. If the Google Play store is going to be the premier source of Android apps, Google needs to get a lot better at protecting users from bad actors. For devices that contain so much of our lives, failures to protect against financial theft is unacceptable.

And Google themselves are part of the problem. We're over-due for Google's next chat app shakeup. I think. And that's just Google. The phone OEMs can replace it with their own uniquely crappy SMS/RCS/Proprietary pile of crap. Going back to the problem of executive champions and vision, nowhere is than absence clearer than the absolute clusterfuck of Google chat apps.

Finally, I mentioned above that I'm a petty bitch. My family holds onto grudges like most folks hold onto fine tableware or farmland. Case in point: My grandfather got screwed over by a Shell gasoline station. He wrote to corporate to explain the situation, and found their answer... unsatisfactory. Nobody in my family has gone to a Shell station since.

My grandfather died over a decade before I was born.

But I have a very personal grudge against Google. They blamed me for something they broke, and have never to my knowledge apologized for it.

Many, many years ago I worked at a small firm. This was when Windows 7 was at its peak, and Windows XP was still very common/well-supported. We had a line-of-business app that was dependent on certain components of Internet Explorer. If you tried to access the web launcher from something other than IE, it would break in really unpleasant ways. Since some of the LOB usage was time-critical, when it broke it was a priority issue.

This was also the time Google started to spread Chrome like herpes. We weren't a big firm, and we didn't have great tools for controlling third-party applications and their updates at the time. Remember, this was almost 15 years ago. I've learned a lot since then, and the toolsets have improved a lot since then.

So folks would just push the button to update Adobe reader, next next next finish. The work we did was highly technical, and again: ~15 years ago, small business, most folks had local admin. We didn't have the tools to do a good job controlling these things. And updating an existing Adobe reader install would “helpfully” install Chrome and set it as the default browser. The LOB “app” was a shortcut on the All Users desktop that pointed to the webpage.

Google Chrome could not support the critical application. So I'd get a panicked phone call from a user because the critical LOB app was failing. I'd either walk over to their desk or RDC into their machine and uninstall Chrome. They'd go back to work, fill out the time-sensitive information, everyone was acceptably content.

Until they tried to click a link outside IE. Say, a link to something important in Outlook. Turns out, Google did a shit job coding the Chrome uninstaller, and left HTML file associations (what Windows uses under the hood to understand it needs to pass data to a browser) just... empty. And in Windows 7, that leads to a specific error message: “This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.” Hey guess who the System Administrator was. Guess who everyone thought was blocking something they needed to do for work?

Eventually I got the tooling and controls in place to prevent Google Chrome from installing itself where it shouldn't (part of the user profile), and finally blocked the garbage of early Chrome from my corporate domain. It wasn't technically a virus, but it sure acted like one. It sure caused a lot more headache than any actual malware. And I still carry a grudge for the shitass job Google did when spreading their little browser-glitter all over my matte black Thinkpads.

So now my phone is built by Apple. They have plenty of different problems, but Google products are absolutely disqualified.

I really wish Microsoft hadn't given up on Windows Mobile/Phone. A third player with real marketshare would be good for everyone. And comparing the ROG Ally to the Steamdeck highlights how weak Windows is on smaller devices and interfaces that aren't keyboard & mouse. Having an ARM-based processor base would have put Microsoft in a better place to really compete with Apple's M processors. Having an XBox Mobile/Handheld/Go would be amazing. #RIPWindowsPhone

So yea. I don't trust Google for many reasons. Android itself is a mess. And I'm petty as fuck. That means an iPhone is my only option.

I came across a post the other day by JWZ regarding the #billionaire behind one of the more infamous #hacking-for-hire companies around. It's been fairly well known for some time that people and companies were selling their offensive #cybersecurity skills like this, but what was news to me was that Rajat Khare was paying and bullying his way to wiping the slate clean by removing the articles regarding his involvement.

So, given that large language models are trained on data from a certain point in time, I thought it would be interesting to see what one “knew” about Rajat Khare’s activities. I used Mistral Instruct 7B and asked it to create an article regarding Khare’s involvement with funding hack-for-hire companies. The output seemed very good and accurate; I was able to quickly confirm nearly everything in the output below.

I also wanted the reporter’s voice to be hard-hitting, 50’s style journalism, which I don’t think came out very well. It did, however, lead me down a rabbit hole into Russian Oligarch Rybolovlev by linking him to some hacking-for-hire as a customer.

Mistral-Instruct 7B generated article

In the shadows of the digital world, there exists an insidious network of hackers who have been orchestrating a campaign of cybercrime that has left entire nations vulnerable. These hackers operate in secret, using sophisticated techniques to breach even the most secure systems and steal sensitive data from politicians, celebrities, and other high-profile figures around the world.

At the heart of this criminal enterprise is Rajat Khare, an Indian venture capitalist who has been funding firms that eventually became a widespread hack-for-hire enterprise known as Appin. Khare's involvement in these illicit activities has left him with a dark reputation and raised serious questions about his business practices.

Appin was founded by a group of former employees from the Indian cybersecurity firm, Hacking House. These individuals were highly skilled hackers who used their expertise to provide a range of services to clients around the world. However, as time went on, it became clear that Appin's true purpose was to carry out a campaign of cybercrime for hire.

One of the most notorious cases involving Appin occurred in 2018 when they were hired by a wealthy businessman named Dmitry Rybolovlev to hack into the email accounts of his former wife, Elena Okamoto. Using advanced techniques such as phishing and social engineering, Appin was able to gain access to Ms. Okamoto's emails and steal sensitive information about her personal life and financial dealings.

Another high-profile case involved a group of hackers who were hired by the Russian government to carry out cyberattacks against Western governments and political figures during the 2016 U.S. presidential election. It is believed that Appin played a key role in this operation, providing the hackers with access to sensitive information about their targets.

Despite these high-profile cases, Rajat Khare has continued to deny any involvement in Appin's criminal activities. However, evidence suggests otherwise. In 2019, it was revealed that Khare had invested heavily in a company called Cybereason, which provides advanced threat detection and response services. This investment raised suspicions that Khare may have been using his venture capital firm to fund cybercrime operations.

Furthermore, several former employees of Appin have come forward to describe the company's culture of criminality. They claim that the company was run by a group of ruthless hackers who were willing to do whatever it took to carry out their clients' requests, even if it meant breaking the law.

In conclusion, Rajat Khare's involvement in Appin and its criminal activities raises serious questions about his business practices and ethics. It is clear that he has been using his venture capital firm to fund a campaign of cybercrime that has left entire nations vulnerable. As such, it is important for law enforcement agencies around the world to take action against Khare and his associates in order to protect citizens from further harm.

References

Some real-world references: – Inside the global hack-for-hire industry Bureau of Investigative Journalism – Reuters article archived on Archive.org: How an Indian Startup Hacked the World – Who Is Killing All These Stories About a Controversial Tech Mogul? from the DailyBeast – Swiss Prosecutors Investigating Russian Billionaire Rybolovlev – How mercenary hackers sway litigation battles – Reuters Investigative report

edit: Jan 4, 2023: added link to the Reuters “Mercenary hackers” article

It's been a while!

This evening I've cracked open a bottle of Holladay One Barrel Bourbon. It is a result of a collaboration with The Saint Louis Bourbon Society and Barrel Blends—this is the “Nice” bottle. It's a Missouri Straight Bourbon Whisky, made with corn, wheat, and barley—percentages wasn't shared. It comes in at 120 proof and was aged six years, 2 months.

I'm a fan.

Trying it neat at first, I smell cherries, leather, cloves and black pepper. There are other aromas in there as well, but I haven't quite cottoned onto them. It starts with a smooth mouthfeel and I can taste cherries and maybe some cinnamon. The heat starts later and then sticks around after swallowing.

After adding some water, the cherry aroma dies off and the cloves pick up a bit. Checking the spice drawer—because there was something there I couldn't quite get—I check mace, nutmeg, and cardamom. Mace and nutmeg are there, but the cardamom's astringency is not there. The flyer did pitch “baking spices”. There's still a hint of black pepper at the finish.

Time to add a little more to my glass and add an ice cube. This is a good one!

Uffda!

Um tutorial sobre o recurso de criar listas no Mastodon.

O Mastodon oferece um importante recurso de organização dos perfis que você segue, permitindo que você crie listas, que funcionarão como um recorte da sua timeline principal.

Como a plataforma não possui timelines com algoritmos que detectam os seus interesses, e os posts na plataforma obedecem uma ordem estritamente cronológica, o recurso de criação de listas se mostra muito interessante para você não perder os posts de determinado assunto ou de determinados perfis de seu interesse, possibilitando que você navegue pelas notícias ou temas em que você está interessado naquele momento específico.

Com a versão 4.2 do Mastodon, você pode ocultar de sua timeline inicial os perfis que estão em uma lista que você criou, tornando-a menos poluída e lhe propiciando uma melhor experiência, pois você pode seguir centenas de perfis, sem ter a preocupação de ter uma página inicial caótica, em que posts interessantes são perdidos pelo caminho.

Para criar uma lista é muito simples. Vamos usar como exemplo a criação de uma lista cujo tema é “notícias científicas” e vamos ocultar essa lista da linha inicial, supondo que às vezes você só quer entrar e ler as notícias mais recentes do meio científico sem ter que ficar as procurando em meio aos posts dos seus amigos.

Você irá clicar na opção Listas no menu da plataforma, o que te levará para a aba de listas, onde são apresentadas todas as listas que você criou. Na parte de cima, você pode escrever o nome de uma nova lista que deseje criar (neste exemplo vamos criar a lista cujo nome é “Ciência”) e após clicar no botão de +, circulado na imagem, você a terá criado.

Uma vez criada a nova lista Ciência você clicará nela para a editar:

Clique no menu de Mostrar Configurações circulado em verde na imagem abaixo, para exibir as opões de edição, e então clique em Ocultar estes posts da página inicial, caso deseje que os perfis que irá adicionar a essa lista não sejam exibidos em sua timeline inicial.

Finalmente, você precisa seguir os perfis que pretende adicionar à sua lista. Você pode os incluir na lista de duas maneiras: na primeira forma, dentro do menu de opções da lista, conforme a imagem abaixo, você clica em Editar lista, o que abrirá a aba mostrada abaixo, onde você digita o nome do perfil e aperta enter para o localizar, clicando depois no sinal de + para adicionar o perfil à sua lista:

Na segunda forma, você entra diretamente na página do perfil que pretende incluir na lista, clica no ícone de três pontinhos, circulado na imagem abaixo, o que abrirá uma aba de opções, dentre as quais Adicionar ou remover de listas, em que você irá clicar para escolher em que lista deseja incluir o perfil selecionado, clicando em +, conforme está circulado na segunda imagem abaixo.

Pronto, você terá incluído o perfil à lista criada. Você pode adicionar vários perfis temáticos relacionados em uma mesma lista.

Como deve ter notado pelas imagens, é um recurso que utilizo bastante e possuo atualmente oito listas temáticas, nem todas ocultadas da minha linha inicial, visto que algumas uso apenas para focar em posts de determinados perfis que não me incomodarão se forem visualizados também na página inicial.

Espero que sua experiência no Mastodon seja cada vez mais divertida!

#Tutorial #MastoDicas

I spent last week at Headquarters which is always great to talk directly with many security colleagues in a short amount of time – and not just in the office, but also dinner and drinks. That always allows for conversations that can go deeper and more passionate – and sometimes more honest – than you get in the day time, let alone when meeting virtually. Especially when you've known each other for years.

Thursday was the local Cybersecurity Awareness Month event, and I was invited for an Executive Q&A on our security strategy and direction. To continue the conversation, I invited those interested to dinner after to close out my week before flying back home. This is how I found myself opposite my oldest friend in the security organization, deeply engaged on one of his favorite topics: open source security.

“But That Stuff is Boring!”

He wanted to talk about protecting against zero days in the most common open source components used in our solutions. Admirable, but aside from the greater risks from known vulnerabilities, how would you do that? Not knowing they exist, such zero days by definition would have slipped through our SAST and DAST scanning. So, are you proposing we run continuous fuzzing tests against such components and dependent libraries, in addition?

We can engage the internal security community (another one of his favorite topics), he replied. They can submit vulnerabilities and pull requests to the maintainers. And we could patch our landscape even before the vulnerability is disclosed.

Wait, you're suggesting we fork the library and deploy a patch, rather than wait for the fix to be released by the maintainers? And then how do we get back on the official version? Do we force all the developer teams to patch twice for a zero day nobody knows about and we have no evidence is exploited in the wild? Why wouldn't we just manage it through the existing known vulnerability management processes with established SLAs, and if necessary deploy a temporary detection or mitigation?

Oh, but that stuff is boring...

Ignoring the Boring Makes Us Vulnerable

We have such a habit in infosec to chase after the esoteric and interesting. It is encouraged through conferences and social media fame. The cybersecurity industry adds to it, whether for marketing reasons or added features without guidance or consideration how to operationalize them but demo well. We like intellectually interesting problems we can solve on our own. But then we shouldn't be surprised when the basics aren't taken care of, and developer teams consider us burdensome and adding irrelevant toil.

I get that it may not be as much fun to chase after teams with reports on alerts or missing evidence for compliance controls, help teams to manage a never ending stream of newly reported vulnerabilities against SLAs, or to improve asset discovery and metadata management, rather than chase after zero days. But the boring basics are what truly reduces the attack surface. Ignoring the boring is what continues to make us vulnerable.

Finding Excitement in the Boring

To solve the big problems in security, we must find excitement in the boring. Let's focus our minds on how we implement and operationalize least-privilege IAM and secrets, how we can make CI/CD pipelines both more secure and efficient for developer teams to allow for greater code quality and higher velocity, and provide secure-by-default infrastructure, platforms and services that enable teams to be more productive without getting in their way. Find the intellectual challenge in security engineering and operations. We must work on the risks we face, not the threats we like.