Shipping security features is fun and rewarding, and eventually I’m going to have to start saying no to projects. But today is not that day.
Shipping Security Features
As I’ve previously talked about, I’ve been in Security Engineering now for a bit over 3 years. It’s been great because I have a wide range of impact at the startup I’m at, from appsec to cloudsec, corpsec to devops, I’ve been everywhere. But the past couple weeks I got to do something that I’m pretty excited by.
A customer reached out to us with a problem. I won’t go into too many details, but I had predicted this problem coming up a year ago and did a bunch of design work on a solution, but then let it sit in the backlog – no one was asking for it yet. When the customer got routed to me as the expert in the domain the problem was in, I made sure the solution would work for their needs, and then within a week I had implemented the new feature and unblocked not just this customer, but basically all of our future enterprise customers.
The feature was heavily security related, pertaining to authentication to our platform. Our engineering team was swamped with other prioritized work. I was able to take the project, build out the backend, frontend, and an implementation plan for the customer, within about 2 weeks. Last week they started moving from the testing stage to the implementation phase for production, and that’s very exciting for me. I feel like in all my time in security, it’s been very rare to have any sort of direct customer impact, let alone direct customer impact that has the potential to actually increase revenue.
Security doesn’t have to be just a cost center, I guess. I’m already scheming on the next enterprise security feature I’m going to build next quarter.
Project Overload
Not only do I have all the work I’ve been outlining in my Upcoming Projects
section of my posts, talks, trainings, music performances, music production, etc, but I’ve also taken on another pentest outside my normal work this month. I’m excited about the pentest, for sure, it’s an interesting target and I have plans for the income it produces. But also the timing on this one wasn’t great, since we’re traveling next week and will be traveling for a week and a half. So I have to carry my work laptop for my work things, and my personal laptop for the pentest work.
On the flip side, the additional monetizable work gives me courage that I could probably survive on my own if I wasn’t working my 9-5 anymore. Not that I have any plans to quit anytime soon, but I would one day really like to be independent and work for myself. And it seems like we’re getting there.
I also have a secret that I haven’t shared with any of you yet. I’m not sure when I will. But it’s exciting, for sure.
What I’m Reading
Tor: From the Dark Web to the Future of Privacy
By Ben Collier
ISBN: 9780262548182Learn More
I’m excited to get started on this book this week, I’ve long been an advocate for Tor and am excited to read a more thorough biography of it.
Interesting Links
- Declaratively Manage Qubes OS - I continue to pursue my dream of an operating system offering Qubes-like isolation and NixOs-like declarative configuration. I’m not the only one, Solène wrote about using Salt to manage Qubes configuration. Not quite what I want, but certainly one approach.
- Sandboxing All The Things with FlatPak and BubbleBox - Another approach to sandboxing all your applications, this one doesn’t really work like Qubes or Nix, but it does cover some really interesting sandboxing approaches.
- Encryption At Rest: Whose Threat Model Is It Anyway? - Scott Arciszewski back with another thoughtful discussion on Encryption At Rest. It’s valuable, but simply checking a box for full disk encryption is rarely valuable in today’s threat models.
- Hacking Millions of Modems - Sam Curry regales us with a fascinating investigation spanning multiple years, ending in remote code execution on millions of Cox cable modems. Great work.
- Kevin Beaumon’t Recall Research - Announcing recall in the same year that you’re supposedly prioritizing security over everything is a pretty bold move. This post covers exactly how much of a nightmare it is for your security.
- Paged Out! #4 - Paged Out! issue 4 released this week, give it a read!
- Interesting Sherriff’s Office Call Scam - A pretty interesting scam using a lot of very tailored information. Highly targeted supporting evidence, a pretext that automatically puts recipients into a mindset of dealing with authority, with the threat of jail time if you don’t comply.
- The Gentlemen Hackers Interview: The Grugq - A great (but lengthy, at 1.5 hours) interview with The Grugq that covers his background, his expertise in operational security, nation state cyber doctrines, and more.
- Wired Bluetooth Headphones? - A fascinating story about how cheap manufacturers have circumvented Apple requirements and trained whole communities that bluetooth must be on to use wired headphones with their phones.
- Things you wish you didn’t need to know about S3 - S3 is a little cursed, actually.
- Why encrypted backup is so important - An older Matthew Green post outlining why encrypted backup is such an important thing to get right, and how without it, so much other privacy can be eroded.
- What makes a good secure encrypted messaging app - A Matthew Green twitter thread about various secure messaging apps and how they differ, what challenges they face, etc.
- Calling time on DNSSEC? - A post on the APNIC blog about DNSSEC and how maybe it’s time to let it go.
- Stop using Opera Browser - If it wasn’t for the hundreds of YouTube gamer influencer ads I’ve seen for Opera GX, I wouldn’t think anyone even still used it. But here are some reasons why maybe you shouldn’t.
Upcoming Projects
- BSides Las Vegas Talk - Pending feedback on CFP submission. (Due: N/A - Done)
- OWASP Global AppSec Training - (Due: N/A)
- Defcon 32 Call for Artists - Submitted, pending response. (Due: N/A - Done)
- Defcon 32 Call For Soundtrack - I’ve submitted my new song “Oh Dade”, produced by Mikal kHill. If it’s accepted, it will debut on the Defcon soundtrack. If it’s not accepted, I will release it the same day I find out it’s not accepted. (Due: N/A - Done)