I genuinely would like to talk about infosec, but it's hard when the world is on fire and the people who -need- to talk about infosec are focusing on AI zero day when they still have Windows XP machines in their networks.

@ra6bit It all seems rather trite to wank on about it when everything is in existential threat.

@ra6bit my favorite pentests have always been ones where I find like three or four different versions of a piece of software across as many different versions of Ubuntu.

Not that there's anything super wrong with Ubuntu, but it's kinda wild how many times I've had to write 'build out a cmdb. Establish change control and patch management programs' as recommendations. Cart before the horse, and all that

@ra6bit : very much agree with this

@ra6bit IME pentest can facilitate those things, e.g. I think every pentester has a story when the clients first inventory was compiled because it was needed for pentest scoping. Ofc this is far from ideal, but at least drives things in the right direction

@ra6bit if you want a “technical” problem really bad, figure out a method of identity that is both reasonably secure and resilient to all the weird stuff that real legit users do.

@ra6bit I was mostly referring to the fact that we tend to tie MFA to phones, but the fact that names aren’t static is also a thing.