CrankySec

20% of Zero is Zero

If you've made this far into 2025, congratulations! You are one stubborn human being. It's getting harder and harder to wake up and get out of bed without yelling "fuck this" to no one in particular, and hiding under the covers. It feels almost uncouth for me to write about cybersecurity when there are more pressing matters at hand, but I am not qualified to talk about other things. I'm probably not qualified to talk about cybersecurity either, but you all have been kind enough to indulge me, so I'll keep doing it.

I'm not gonna lie, though: it's getting harder and harder for me to write anything at all. Everything's just depressing, and I don't use that word lightly. But enough about me.

If you've been around the block for a while, you know that this industry was always prone to hyperbole: some things get blown out of proportion, some people overestimate their own knowledge, and some people take advantage of the fact that this field is complicated to advance their own "brand" by speaking authoritatively about things they know very little about. It doesn't matter that reality insists on being nuanced and more complicated than what you can convey through a couple of paragraphs on LinkedIn. If you are in a position of power, and you sound like you know what you're talking about, you can get away with some bullshit.

Take the guy who was in charge of SolarWinds' cybersecurity when all that stuff went down. He went to something called CyberLawCon Conference to whine about the big bad government suing him for being a liar. Since a little bit of time has passed, attempts to rewrite history were inevitable, I guess:

“Even in my experience, there was a period of time where we were going through [our hack] and we start saying, ‘Well, can I expose this deficiency? Can I work on this thing that needs to get improved? How do I say this the right way that doesn’t make me liable?’” Brown said. “So all those questions start going through people’s heads during this time, and that’s one of the worst things that can occur. That 20% of my brain, for a period of time, got spent on thinking about liability as opposed to thinking about protecting the company.”

All fair points. Except, you know, fuck you. It was never about executives being unable to "expose this deficiency" or "work on this thing that needs to get improved" with the threat of legal action hanging over their heads. When some stenographer writes that "industry officials who have said the charges would create a chilling effect in the field that would make individuals less likely to probe for vulnerabilities if they could later face legal ramifications.", I need to try real hard to keep my composure. Look at how this sentence is constructed vis-à-vis the actual subject at hand: we're talking about the SEC suing an executive for misleading investors.

The SEC alleged that the executive in question, the guy quoted above complaining about "thinking about liability", was full of shit, and talked a big game about the cybersecurity capabilities of his company, while knowing full well (allegedly) that it absolutely wasn't true. Then, you turn this thing around and start talking about a very real issue that cybersecurity researchers actually face when they try to disclose vulnerabilities.

It's not the SEC. It cannot be the SEC. The SEC has nothing to do with any of that. You know who threatens to sue researchers? The same companies whose CISOs are crying about being bothered by the SEC. You're saying that you should not be liable while slapping actual researchers with DMCA and Computer Fraud and Abuse Act violation claims.

Anyone can smell this bullshit from miles away, except, you know, "specialized media" who will eat up anything and everything these guys are saying because if they don't, well.. they will have a real hard time reporting on anything. Which, quite frankly, would probably be better.

That was a lot of words to say what you probably already know: a lot of us work for some fucking assholes. And, obviously, that's nothing new or exclusive to our trade. But, since this is theoretically a cybersecurity blog, I write about these kinds of assholes.

And, look, sometimes the calls are coming from inside the house, too. Did you see those folks who gave a presentation about some undocumented ESP32 commands? Well, the researchers did exactly that: presented their research on ESP32 commands not documented by Espressif. Their employer, on the other hand, went ahead and called the existence of undocumented commands a "backdoor", which has way more serious connotations.

Words matter. Especially when governments are trying (still) to actually backdoor their citizens' phones. This ESP32 thing isn't a backdoor. And I'll ask you to read the reasons why from someone who knows what they're talking about. Now, a significant number of people who heard one side of the story will either believe (incorrectly) that there is a backdoor on ESP32 chips (there isn't), or, will assume (incorrectly) that the researchers engaged in some creative writing, which they didn't. So, you did your research, your employer distorted your words for fun and profit, and now setting the record straight will be a pain in the ass because your own employer misrepresented your findings.

What I'm saying is this: don't take this shit too seriously, because this industry as a whole is not serious. Don't go anywhere near the above & beyond, because that's just extra work for the same pay. Want to do cool shit? Do it as a hobby. Do it as a personal growth project. Maybe do it to help your loved ones interact with technology in a safe(ish) manner. If you're going to be thrown under the bus by some bitch CISO who cannot take responsibility for their fuck ups, at least try to not drive that bus yourself.