I want to call out our community for a second on AI. And this applies to me as…
My Philosophy and Recommendations Around the LastPass Breaches
If you follow Information Security at all you are surely aware of the LastPass…
Why I’m OK With Amazon Buying One Medical
A number of security people have come out against Amazon buying One Medical. It’s…
L33t H4cking vs. M0st H4acking
The Cybersecurity Skills Gap is Another Instance of Late-stage Capitalism
It’s common to hear that it’s hard to get into cybersecurity, and…
Thinking About the Future of InfoSec (v2022)
I’m starting a new series with this 2022 edition where I think about what…
How to Tell the Difference Between a Legitimate NFT and a Rug Pull
A lot of people, especially in the security industry, are concerned that NFTs…
Not All MFA is Equal, and the Differences Matter a Lot
People are starting to get the message that text/SMS is a weak form of multi-factor…
The Irony of InfoSec’s Reaction to Crypto, NFTs, and Web3
There’s something strange about how our InfoSec community is reacting to…
Comparing My Top Four Security Podcasts/Newsletters
I get asked a lot what my go-tos are for security content. My top four recommendations…
The Subsequent Waves of log4j Vulnerabilities Aren’t as Bad as People Think
If you’re reading this you’re underslept and over-caffeinated due…
The Vigilant
We should have a new internet group called The Vigilant—a group of open-source…
Degrees and Credentials in InfoSec
If you’re on InfoSec Twitter you’ve probably seen the recent iteration of…
It’s Time for Vendor Security 2.0
In a previous post I talked about how security questionnaires are security theater.…
Thoughts on the OWASP Top 10 2021
This post will talk about my initial thoughts on The OWASP Top 10 release for…
The Strange World of “Good Enough” Fencing
I’ve always been fascinated by security that was “just good enough”.…
Dead Drops and Security Through Obscurity
There’s massive confusion in the security community around Security Through…
The Presenting Vendor Paradox
There’s a paradox in information security where the community wants two…
Why an NTSB Wouldn’t Be Helpful For Ransomware
Twitter is great for quick ideas that may or may not be useful. I had one the…
Analysis of the 2021 Verizon Data Breach Report (DBIR)
Every year I like to look at Verizon’s DBIR report and see what kind of…
Explaining Threats, Threat Actors, Vulnerabilities, and Risk Using a Real-World Scenario
Casey Ellis (of Bugcrowd fame) had a great post on Twitter today about security…
What if We Made Paying Ransoms Illegal?
I was on Twitter the other day and saw someone suggest that we could fix people…
The Consumer Authentication Strength Maturity Model (CASMM) V6
If you know anything about internet security then you likely spend a lot of your…
A @TomNomNom Recon Tools Primer
There are recon tools, and there are recon tools. @tomnomnom—also called…
3 Metrics That Will Indicate We’re Taking Security Seriously
A lot of people are surprised when I tell them that computer security isn’t…