hilariously I got this phone as a less constrained alternative to my Punkt MP-02! but it sure is not for everyone.

CC: @photomattmills@sfba.social @mntmn@mastodon.social

oh, I'm sure someone will make a small-screen thick phone

CC: @photomattmills@sfba.social @mntmn@mastodon.social

in a world with unfettered access to massive stores of knowledge, most ignorance is malicious

CC: @dalias@hachyderm.io @micahflee@infosec.exchange

I presume the deflection indicates I've got through to you and you finally understand my argmuent. Glad we got there in the end!

CC: @dalias@hachyderm.io @micahflee@infosec.exchange

My initial criticism was "zero followup work," thus rendering the blog posts baseless fearmongering, and now I'm saying it's not his place to follow up, which is consistent because the blog posts are a bad idea which should not have been posted to begin with.

Not sure why this is confusing for you, but given that you think you can read emotions through social media posts, I'm sure a lot of things are confusing for you

CC: @dalias@hachyderm.io @micahflee@infosec.exchange

I'm not suggesting any means by which he follow up, because it's not his fucking place to follow up. That's why I said what I said -- the shit he found warranted one friendly email and no more. The complete lack of information about the operating environment possessed by Captain Blogsalot is a Very Large Signpost that this rando is not the person to publicly pillory some other rando. That's my entire point! It doesn't even matter who is right, because there is nothing here to be right about.

I'm assuming it's the former because I have no reason to believe it's the latter. What you're deriding as "frustrations from my JOB" is what is known in the industry as "professional experience," which is the arcane lore that you asked about and which allows me to recognize when some blogger fuck is sticking his nose where it is not helpful. I hope this context brings you peace.

CC: @dalias@hachyderm.io @micahflee@infosec.exchange

just for shits and giggles, I'll give a sterling example regarding this kind of bullshit being problematic in an actual working environment.

normally, when one purchases a RHEL license, you purchase a license for the major version. You're expected to roll along from e.g. 9.2 -> 9.3 etc. However, for precisely-engineered things like supercomputers, this is not a good idea, because it subjects you to performance regressions that aren't tested for in the mainline distro. Red Hat's solution to this is to offer "EUS" licenses -- extended update support. This means you can stick on e.g. 9.2 far longer than the normal contract, because Red Hat does the work backporting security patches. What doesn't change is the upstream version numbers tagged on the packages.

For an inexcusably long time, Nessus didn't support this unless you had a full-time person on the backend identifying the package versions (including release and/or build versions), which almost nobody does.

The result? You follow all the STIGs, you've got vendor security support, your node bringup health-check runs POC code to confirm known vulns are covered, and you still get angry emails with six hundred false positives from whatever peabrain is lazily running the Nessus scan. Now, instead of doing actual administration, you have to write memos, rehashing the arguments you made last time, because the kind of "security engineer" who hits the panic button behind some bullshit lasts about six months on the job, but the badly-configured Nessus deployment outlives them to be run by the next box-checker to warm that seat.

This is exactly the same scenario. Some low-information box-checker gets angry because nobody listens to their baseless whining. The only difference is it's happening on some asshole's blog instead of in an Outlook thread with everyone's managers CCed.

CC: @jazzhandmedowns@mastodon.sdf.org @dalias@hachyderm.io @micahflee@infosec.exchange

1. Nobody said that. My assertion is this dipshit didn't have sufficient evidence for anything more than an email worrying about the Apache version. Once. Not a series of histrionic blog posts about it.

2. Nobody said that. It was the rest of the behavior that constituted bullying. You're going to have to come up with a better approach than "inaccurately summarizing my arguments" to get anywhere here.

3. Yes, I do, because Nessus as deployed at many agencies is a box-checking exercise used in place of proper security engineering. I can provide dozens of real-world examples of poorly-configured Nessus scans doing more harm than good, but I don't think you're making a good-faith argument here, so it's probably not worth my time.

lol. "easily verifiable claims" lmao

CC: @dalias@hachyderm.io @micahflee@infosec.exchange

not to mention the fact, as mentioned, it's not possible to ascertain which CVEs apply based on an arbitrary version string or nmap fingerprint. now this jerk is victim-blaming the person who was bullied into reinstalling software because some clout-chasing beancounter needed something to tiktok into a camera about.

like of course this dude had to do something, he had some twerp with a basement full of followers shit-talking him with zero evidence and then shit-talking him again for correctly blocking an ignorant gadfly.

this whole thing is an embarassment and it's the worst kind of pedantic bullshit "cybersecurity" that helps nobody but a self-aggrandizing parasite.

CC: @micahflee@infosec.exchange

They definitely do not have any reason and this is a bad-faith post for clicks. If you read the post they did zero followup work to confirm any vulnerability and just spent all their time instead complaining about being ignored. Instead of doing anything constructive, this person just bullied a stranger based entirely on a scan banner.

We have this automated where I work; it's called Nessus, and everyone hates it, because like this person, it lacks context, doesn't understand the things it alerts on, and we'd be better off without it.


CC: @micahflee@infosec.exchange