Notices by Kelly Shortridge (shortridge@hachyderm.io)

The #security community truly deserves better than the current status quo it gets from so many of its vendors.

Vendors shouldn’t narcissist’s prayer and gaslight you after they cause harm! They should respect their accountability rather than litigate against their victims.

I legit cannot wait until security practitioners realize how much better their lives could be, and the joy they will feel being free of jank tooling.

I’ve always side eyed the phrase “simping” until I saw the obsequious praise security bros are lavishing on Crowdstrike for one of the worst “RCA” docs I’ve ever read, and now I get it

^ In our RFIs, we note that commercial security software is often a boon for attackers given its deep access + poor quality

indeed, much of it resembles malware in functionality.

in the #Crowdstrike case now, it’s poorly written malware. “Skidiot” shit, as a friend would say…

For all the ballyhooing about open source, why don’t we take the security of commercial security software more seriously?

this is why I’ve side eyed any federal document about software #security, quality, or #resilience that demonizes open source software while touting the virtues of commercial cybersecurity products

as if those products aren’t notorious for deep access + flimsy quality…

I’ve written about this concern in two separate RFIs to CISA et al (with co-conspirator @rpetrich)

1) on OSS security https://kellyshortridge.com/blog/posts/rfi-open-source-security-response/

2) on secure by design https://kellyshortridge.com/blog/posts/rfi-secure-by-design-response/

#crowdstrike

@Di4na lots of companies need to ship things fast and as widely as possible.

albeit, much fewer have the level of access into the system that EDR has (which would suggest investing in even more “ensure the software delivery behaves as intended” tooling).

regardless, this is why build checks, integration tests, staging environments, experiments, and other software quality tools/approaches exist.

P.S. probably my primary goal with writing my book was to address both 1 & 2 above ^

reveal to platform engineers & SREs how very capable they already are to solve cybersecurity challenges

and to teach cyberpros how software works, a crash course in software delivery practices, all the opportunities they overlook while drooling over the RSAC vendor hall, etc.

shameless plug: https://securitychaoseng.com/

@bynkii the irony is, the security leaders I know who _do_ adopt modern engineering practices and think in terms of software resilience all seem… way more chill?

like they actually love their work, feel fulfilled, burn out less, are more respected

sometimes feels like a lot of traditional infosec selected for self-sabotaging / perpetual victim vibes. it’s a crappy way to live.

it’s kind of funny seeing the dynamic I’ve lived when speaking at conferences the past ~5 years play out at scale now

cyberpro bros adamantly refuse to believe modern software practices can work

and platform engineers / SREs are dumbfounded upon learning how behind cybersecurity is as an industry

tl;dr of the current crowdstrike incident discourse:

cyber bro in wrinkly chinos: “actually, modern software practices do not work, pls stop bullying the c-suite of an $80bn corporation”

trans furry platform dev: “bitch u live like this????? I don’t sandbend compilers for u losers to skip unit tests”

I’ve long felt that if the software engineering world realized:

1) how accessible cybersecurity actually is in terms of an understanding of what matters in practice

2) how dreadfully behind the cybersecurity industry is in terms of basic practices, understanding of systems, etc.

immense outrage would foment at large, and perhaps real change demanded

there’s a reason why infosec pros present the problems as arcane and inaccessible, why they protect their own and knit tight cliques…

I’m especially tickled that cyberpro bros have always haaaated when I said outages are way worse in terms of business impact than the vast majority of cyberattacks

and that cybersecurity problems really aren’t as hard relative to other software concerns as they pretend they are…

(see also: https://kellyshortridge.com/blog/posts/cybersecurity-isnt-special/)

okay people, stop with the 👉🥺👈 but crwd is just an itty babby don’t be meeean

they are a grown ass commercial software vendor who has known, for years, by design, that they effectively deliver a rootkit into enterprise systems and, often, critical infrastructure

again, if you have the energy to shame OSS contributors for their mistakes, but make excuses for large commercial vendors: maybe what you seek is punching down, not making the software ecosystem better https://hachyderm.io/@shortridge/112813022742284016

and this is why we need to stop absolving *commercial* cybersecurity vendors of software quality concerns.

there should be multiple checks preventing this type of broken content in an update.

how did they allow it to ship to so many machines all at once?

#crowdstrike

a confession: I’ve battled mourning doves for months, ever since I bought a bird feeder for my garden and they kept draining it in less than a day.

they are allegedly stupid creatures, but that’s just what they want us to think.

I am plausibly an expert in cyber defense, having written a book and academic papers, lectured at federal agencies and F500s alike — yet the doves thwart my every mitigation.

I planned to write a blog post once I won, but my hope for victory further desiccates daily…

tired: too many browser tabs

wired: the system is struggling to absorb and regenerate from anthropogenic stresses

went down to the hotel lobby to retrieve my dinner delivery in a yoga outfit + snuggly cardigan + face mask.

some men with #RSAC2024 lanyards exited the elevator as I re-entered; they turned back to look at me and one said (very loudly, very pointedly staring at me) to the other, “I was like, did you hire me a hooker?”

if you are a man attending #rsac, please shut that kind of shit down when your peers do it. let’s not let insecurity rule our #security industry.

@bynkii @saraislet I haven’t seen any real data on this, but if we assume the avg corp worker receives ~100 biz-related emails per day during the work week, that’s approx 26k per year. Let’s assume 50% have links.

If they click on 1 malicious email link in a year, that’s a ~0.008% “fail” rate to them.

Even if they click on 100 malicious links, that’s only ~0.8%.

It’s entirely rational to click the damn links; spending even 1 min on scrutinizing each email adds up to 217 hours per year!

@bynkii there’s such a fucked up authoritarian streak in cybersecurity culture. If there’s one thing I could change, it’s probably that.

My jimmies are rustled just reading that exchange

in case there are other nerds out there who haven’t yet read this classic, behold “the case of the 500-mile email” https://www.ibiblio.org/harris/500milemail.html

I adore the “absurd computer-borne mysteries” genre and kindly ask for more content from the annals of y’all’s careers

tbh I’m getting frustrated hearing “everyone does this” from #cybersecurity engineers at high-growth tech companies when I talk about modern security / #resilience stuff.

but then the “mature corp” majority often haven’t even heard of some of the basic concepts/practices, let alone are trying to adopt them…

it’s why I often leverage the “two Americas” analogy to describe the state of cybersecurity today. These things really aren’t “obvious” to many and pretending they are widens the gap.