I agree with RSnake. It seems the inescapable curse that the more successful one becomes in the infosec industry the more interesting information they may access and the less they can share about it. It’s terribly frustrating and unfortunate because so much is lost as a result. When my blog started it was simply a place where I could speak openly about personal webappsec interests, meet others in the community, and converse on a wide variety of technologically cutting-edge and conceptual topics. I had no idea if anyone would even care to read it. Still I’ve always tried to be completely open with what I believe and whom I’m work for because bias will surely creep in.
Almost tens years in the industry, some two years of blogging, and 500 posts later never did I dream that I’d get to meet so many great people whom I learn a lot from and receive such a tremendous readership. For that I’m grateful and have always been committed to giving back by sharing what I know and assisting others where I can. During the same time professionally I get access to way more highly sensitive and sought after information than ever. Knowledge that’d make you laugh, cringe, worry, think, excited, and upset. Much of which is locked up in NDAs, intellectual property, and business relationships but that also help me see what’s coming 2-3 years out.
This brings me to the second thing I agree with RSnake on. Things are bad, much worse than they appear, worse now than when I started, and probably because we’ve learned a great deal about the existing problem as have the bad guys. Top down are endless mountains of critical vulnerabilities we’re incapable of fixing the conventional way (through code), built on platforms of technology suboptimal security-wise, and we can’t simple start over from scratch. Bottoms up incidents taking place daily, some waiting to take place rarely spoken of, especially by me, and almost never in detail by anyone. I only get to hint at the specifics and what lessons we may learn. Heck I can’t even share a lot of it with RSnake for the same reasons he can’t share back.
This means the bad guys have an edge. They aren’t bound by the same rules as we are, as a result are more nimble than us, and the third thing I agree with RSnake about. Readers here and on his blog have the clearest path to reveal the things we can’t directly. That’s why we support them the best we can and perhaps this is a healthy progression that keeps the industry fresh with new people and ideas. This is not to say I won’t be doing everything in my power to provide the information people need to protect themselves online should they want to. That’s essentially what I do for a living and I have no desire to make a living writing books. :) So with that I disagree that my blog at least will be watered down. I still got lots of cool stuff talk about, look forward to hearing what others think, and thank you to everyone who takes the time to read.