CrankySec

C is for Cunt

I don't know if you folks know this, but there's this concept called The Shirky Principle, defined thusly: Institutions try to preserve the problem to which they are the solution. If you think about it for a couple of minutes, you'll see that it makes sense from one angle: solving the problem you set out to solve for a price will eventually put you out of business. That's why you don't see shit being built for life anymore, or why every single piece of software you encounter today is rentware: to appease the gods of capitalism, parasites investors want businesses to sell you the same thing over and over again. Forever. We, as a society, have decided that "owning" things is passé, so let's just rent everything forever. You can always leave that Spotify playlist to your kids.

But this principle has another side that applies very well to our subject matter here. Suppose, if you will, you find yourself in a new job doing "cyber." The job description doesn't really matter because, from GRC to internal audit by way of red team, any example here can be applied to another area. Let's say you've been there about a month, and you have familiarized yourself with "the way we do things around here." Never mind the fact that "the way we do things around here" is the same everywhere, just bear with me for a second. You see some systemic, highly technical issues like "no one gives a shit about cybersecurity until it's too late!" Or "there's no way to test our controls/applications/infrastructure because we don't even have a list of the things we're trying to protect!" Or "how the fuck are you going to fix this now that this thing is finished, and you have no money left?" You know, normal cyber security fare. And what if I told you that everyone around you, including the people with the power to solve these issues, knows exactly how to solve these issues? They just don't want to. Your 10-ply vCISO probably knows that you need some sort of CMDB. Your head of pRoDuCt or whatever the fuck knows you need to think about cybersecurity risks when you're at the drawing board. Your CTO knows they can save millions of dollars every month if they sit down in front of their AWS dashboard and do some middle school math. Your CIO knows they can save money and increase good vibes by simply telling Microsoft/Adobe/Oracle to fuck right off. It's just that their career plan is pretty much "don't be there when these problems start making you look bad."

But they can't do that now, can they? Because "if you don't use your budget, it will get cut next fiscal year!" So the fuck what, super chief? Better do a round of layoffs than get rid of PowerBI? Or get rid of the office no one wants to go to, and when they do, they're just fucking Zooming all day anyway? Is it better to just throw money at your MSSP to deal with problems you know how to solve? Like, you went to school for this shit, bro. Are you telling me you don't know how this should work? Or are you telling me that this is exactly how it should work if you want to get rich and climb the ladder, trail of dead behind you be damned? It's not a good look. I mean, it's not a good look for me. And for you, discerning—and beautiful—reader. The little C-Suite Club thinks this looks amazing. Millions of dollars going to Microsoft means a lot of 100-level tickets, nose to the glass. It means rounds and rounds of the most stupid game on earth. It means a good time with prostitutes, cocaine, cigars, and scotch when RSA comes around. It is a great time. At your expense. You're losing sleep, stressed out of your mind, working 60 hours a week, neglecting your health, neglecting your family, neglecting your whole fucking life because you don't want to let anyone down, when, in fact, all you're doing is enabling these fucks. You are either going to have a heart attack at age 35, or work until you are literally on your deathbed just so a couple of fucks can get a blowjob in a ridiculous toy car while they chase and hit a little ball with some overpriced sticks in a piece of land that could've solved several unhoused folks' problems. To this I say: fuck that noise. We're going to find a better way. Or slack off trying.