Or maybe snake oil is the wrong term. I don’t know if there’s a term for someone who warns others and they never listen, because it seems no matter how much you break into buildings and expose the flaws, hack a bank’s transaction, or infiltrate a database, the company will thank you, pay you a few hundred thousand dollars, then do nothing to change.

Essentially it just seems like I’m helping big companies bypass regulations by rubber stamping their pinky promises to change. I guess internal security auditing might be a little better, but I don’t know

  • Shinji_Ikari [he/him]
    ·
    1 year ago

    The nature of cyber security and vulnerabilities is banked on things being overlooked. Bug bounties are honestly a great idea because A) hackers will do this regardless, A-2) if there isn't a good legal outlet, the vulns can do a lot of damage. and B) might as well pay the hackers for their time so they don't sell to a higher paying buyer.

    The industry as a whole is more complicated. I wouldn't call red-teamers selling snake oil, I'd say a majority are incredibly skilled, the shitty part is when execs pay for the audit but not the remediation.

    Regulating secure software honestly sounds like a nightmare and a fools errand. Not in a "regulation is bad mkay" sorta way, but the people writing the regulations almost never know the systems.

    Properly punishing companies for allowing data breaches with a paper trail of being warned, is probably a better way forward.

  • Frank [he/him, he/him]
    ·
    edit-2
    1 year ago

    Usually we refer to someone who gives warnings others ignore as Cassandra. Cassandra being the princess of Troy who was cursed by Apollo to know the future, but not to be believed by anyone. Basically the most relatable human being in existence if you're a leftist.

    • UlyssesT
      ·
      edit-2
      16 days ago

      deleted by creator

  • luxurycommunism [he/him]
    ·
    1 year ago

    my experience with auditors is that they are mostly fucking morons driving expensive cars. personally, i cannot wait to transition.

  • mayo_cider [he/him]
    ·
    edit-2
    1 year ago

    There's plenty of snake oil, it's not really that hard to break into an average office, especially compared to corporate espionage in the form of breaking and entering

    On the other hand, it's a grift I can respect

    • mayo_cider [he/him]
      ·
      1 year ago

      Oops, I was high and thought you were talking just about physical penetration testing

      Software side is even worse, most of them just run a generic test sweep and catch a 15 year old vulnerability because you didn't think about security before the cool hacker guy showed you his terminal

      Still a cool grift though

    • Frank [he/him, he/him]
      ·
      edit-2
      1 year ago

      The list of lists I'm on is starting to turn to become a data management hassle for the feds.

      Also; Remember kids - Don't spend the money! Bank robbers get caught because they 1.) talk about it 2.) buy shit they conspiciously should not be buying and 3.) they rob two banks

      Don't talk about it. Ever. Not to your priest, not to your wife, not to your FBI handler. Don't tlak about it. Don't allude to it. Don't ever mention it to anyone in any way ever.

      Don't buy stupid shit. Ideally do not buy anything. Bury your cash somewhere. Back in the day you'd literally bury it in a mine but idk how electronic monopoly money works these days so i don't know. But the important thing is to leave that money alone for 10-20 years, and then when you do start to spend it you spend it on little stuff a little at a time. Like you stole 120,000,000 dollars? Great, practically? You're going to spend an extra maybe 10-15k a year, after your 10-20 year wait is over. And only if you've got a job that can sorta-kinda justify it enough that you don't get audited. No buying houses for your gran, no buying fancy cars, no buying crates of... well, actually, if you're buying crates of missiles you're probably not going to live long enough to worry about the financial crimes guys catching you. But the second way you get caught is if you spend the money in ways that stand out and raise eyebrows

      Third - Don't rob two banks. Rob one bank, then never rob a bank again. People get caught because they do the same thing twice, or the feds get two okay pictures of your face, or whatever. I mean. 90% of the time you get caught because someone told their boyfriend about the heist, and 9% of the time it's because you bought everyone in your family tree a condo, and 1% of the time it's because cops actually did something resembling detective worked and associated your picture with a van rental in the next town over, but that 1% was a doozy.

      Thank you for reading Uncle Frank's "Don't get caught" primer. Remember; Don't let them take you alive or they will make you rat on your comrades.

    • TankieTanuki [he/him]
      ·
      edit-2
      1 year ago

      👀

      Would be fun to be a 21st century young Stalin. After skimming the article I understand how international SWIFT payments could be falsified, but I still don't see how you could get the funds out of the target bank account securely.

      • JoeByeThen [he/him, they/them]
        ·
        1 year ago

        Have not done it, but I've followed a couple of these through the years. A couple rules for success seem to be:

        • Bounce the money around as much as possible
        • Never personally touch the money; i.e. at no point should you personally try to profit from the stolen cash.
        • split up the cash as much as possible; donate it as cash to charities, buy large amount of stuff that can be donated, make large purchases from organizations you want to support.

        Basically, use the money to fund projects that make the world better around you. Don't buy a ferrari.

  • UnicodeHamSic [he/him]
    ·
    edit-2
    1 year ago

    I think it is grift mostly. Big companies get a lower insurance premium if they pay to have it done or whatever. So they do the test. Ignore the results and if anyone ever tries to sue, you have a receipt saying you did your due diligence