Offensive Security Is Useless... If You Don't Apply the Learnings

Offensive Security is useless…

… if you don’t apply the learnings in your every day life.

At Microsoft, I was able to speak to the actual engineers who fixed Spectre and Meltdown. I’ve spent a career helping engineers fix some of the most technical and nuanced bugs in the industry. But I’ve frankly always had an identity crisis

• while kernel bugs are objectively the coolest type of bugs, and sometimes grab headlines, the things that really affect people’s lives are ransomware and getting phished. Both things that I’ve come to learn are fundamentally NOT cybersecurity problems. It’s a human problem. Here’s what happened:

Like most of you that use Verizon, we all noticed the outage on Wednesday, January 14th. There are a lot of thoughts I have on this event, be it the speculation that it was a cyber attack, the implications if it actually was a cyber attack, and the baffling interdependence of the nationwide network (why if there is an outage in New York am I in Washington also affected?).

By the way, do you think we’ll ever get a retrospective from them?

What I want to talk about is the following text message:

At first, this didn’t set off any red flags, and if I wasn’t currently putting my daughter to bed when I received this, I probably would have clicked the link to see how easy it was to get my $20.

But then I remembered the advice I give out to all my friends and family, and one I even saw on LinkedIn earlier in the day - do not respond to text message links. We are in an epidemic of spam links.

Turns out, when I go and look up if this is real, it turns out it is.

Adding insult to injury, the number I received this from is different than the number that is somehow “officially” designated as Verizon in my phone.

So back to “offensive security is useless.” If we who love the technical details continue to miss the forest for the trees, we aren’t going to make people’s lives better. And I got into security to make people’s lives better.