This piece feels like advertorial.
12 posts • joined 30 Mar 2015
Re: Pardon me
the only way to get paid is bug bounties? what?
This is utter tripe. Plenty of people get hired to do security research of all kinds, not just finding vulns in websites (seriously, why do amateurs think this makes them 'rockstar hackers'?)
"Working InfoSec is a fools game in every corporation I've dealt with"
Sure, if you don't like money. Otherwise, now is a very good time to work in infosec.
"Last to get hired, first to get fired/layed-off."
Perhaps that's something to do with you? I've never experienced this.
"No one even bothers to pretend to support your job properly (funds, people, and especially tooling). Hell, they don't even bother to read your memos."
It's your job to educate people about security.
"So excuse me if I'm a bit confrontational. Asshole."
This is probably the reason for your job struggles. Fix your attitude.
Re: how's that?
It's a big straw man, which implies that all businesses are doing high level stuff, and ignoring the low level stuff. The truth of the matter is that there are thousands of companies, each at different levels of maturity, doing different things, prioritising things in their own unique way.
Some are neglecting the basics and chasing the advanced. Some are doing the basics well and ignoring the advanced stuff.Some are doing nothing. Some are doing everything badly. Some are doing everything well. Some are in the process of maturing, starting with the basics, with an eye to moving on to the advanced stuff when appropriate.
Business exist and operate at all points on the 3-dimensional spectrum of what security activities they undertake, when, and to what level of quality. For example; I have no doubt that TalkTalk had pentests; however, maybe they ignored the results; maybe they delayed patching; maybe the pentest was bad, and missed the vuln that was exploited? All these are possibilities; and the suggestion that maybe, focusing on threat intel was the reason, is just one other possibility, which is clearly not going to be true for all orgs who's security is suffering.
If a third party has all of my keys, that is essentially a 'back-door'. It's a way for someone to have exceptional access, circumventing the protection provided by the encryption. I call that a back-door. Besides, you can't stop people from using systems/cipher-suites that have perfect forward secrecy.
What you think is irrelevant. Encryption is either compromised, or not compromised. If law enforcement can access my data with a warrant. Then someone can also access it without a warrant. Hackers, disgruntled employees, unscrupulous individuals.
If they have the keys, they have the keys. It doesn't matter if they're supposed to have a warrant, hackers/criminals don't care, by the very definition, these are people who are breaking the rules.
Besides, it's not technologically feasible. It's extremely commonplace to use ephemeral session keys, and systems with perfect forward secrecy.
Re: Even Jeremy Clarkson could tell them they're wrong
You've made a rather unfair argument. Direct debits are a way to get money out of your account, but you've excluded it from consideration.
What's to stop me from setting up fake companies to which talktalk customers suddenly have direct debits?
On reporting to the ICO
"Under the Data Protection Act (DPA), although there is no legal obligation on data controllers to report breaches of security, we believe that serious breaches should be reported to the ICO."
When companies report their own breaches to the ICO, I have little mini heart attacks from the sheer surprise