How compliance kills Security (and Romance)…

Let’s say you go on a date. A first date.

You dress up like a prince and get your glossy watch on. You take an aromatic bath and brush your teeth white as deadbone. Then you spill an abundant portion of your most expensive cologne on your freshly shaved neck and leave home to find your sparkly car you washed in the morning. You fire up a Cesaria Evora CD and hit the road, sure you are gonna impress that sweetie to the bone.

Yes, you guessed it right. You are a Sales Manager.

And the date is with a manager of another company, that just happens to be female. She is gorgeous and all but you are totally interested in something else… You know she wants to get an ISO (or whatever) certification for her company, and the last requirement for the certification is a Risk Management / Penetration Test Schedule / 24-7 SIEM Service. It also just so happens that you work in a Security Company as well. And the game begins…

A game that feels more like a “cat & mouse” game than a “woman & man” game…

Step 1

She tries to convince you that she has met other guys as well, almost as handsome as you, but she really likes your ways while you try to convince her that you are the best of your kind because you have the most expensive car of all other men.

Step 2

She tries to convince you that her company has several other offers but she just wants to collaborate with you, while you try to convince her that your company has the best RA tools following the top latest standards, the most expertised Pentesters (that used to work as Hackers in the Dark Web before your company recruited them) and the Most accurate super-behavioral SIEM (based on Big Data®) on the market.

Step 3

A really romantic conversation starts about “Hacking“, Information Security, and viri – the plural of virus as it is a latin word (you will try fuckin’ everything to impress her). You mention how someone broke into your Gmail the other day, but you logged in quickly and locked him out by insta-changing the password, how you are sure that your Android Device takes pictures of you, how aware you are about e-mail phishing, and you play your final card with Advanced Persistent Threats (pronounced really slowly as English isn’t your mother tongue – and you speak in English while you are both Greek), what happened in 2009 and mr.Robot.

Those conversations make my heart warmer. Always between someone that hasn’t spawned a ‘cmd.exe‘ in his life (locally, not remotely) and someone else that Just-Only-Really needs his company certified and doesn’t give a shit about computers apart from Microsoft Excel (he is the one that runs the macros to “Enable Editing” just for the hell of it – because this button shouldn’t stay there unclicked).

So romantic that my heart skips!

Endgame / Aftersale

Her company is now a client of yours, got certified and you continue dating her… The RA/PenTest/SIEM Integration went great, found a lot of issues and all. Her company hired another company to fix the bare minimum of issues (fixing security bugs can be costly) required to pass the certification (enable some SSL, patch the Windows XPs to Service Pack 2 at least -for god’s sake-, refine the ‘any to any‘ Firewalling).

Your dates are great as well! She likes your taste in music and wine and you adore the wide smile she gives you when you talk just about anything (you remind her of her father that until her 15ish she was sure he knew everything – maybe in another article).

After a week you forgot to brush your teeth before going out with her. After two weeks you forgot your wallet at home, remembered about it just before you fire up the Cesaria Evora CD and said “Fuck it, we will eat cheap tonight” – ended up both smoking on a bench (from her cigarettes) talking about your previous relationships, eating chips. After three weeks you turned down a date with her to get wasted with your college friends and after a month you had a hot-dog with chili con-carne and jalapenos session just before you sleep at her place and farted (silently) all night long on her bed.

While you are dating, your company didn’t report all issues found at the latest PenTest and filtered out some of her companies suspicious constant behaviors us “they won’t fix them anyway” (and they won’t, that’s for sure).

In terms of relationships this phenomenon is called Over-Familiarization, in terms of companies this is called Compliance.


The Break-Up / End of Collaboration

One day her company’s website has a DickPic favico and a “Smoke Weed Every Day 420“-whatever Index page, while some domain user double-clicked a “CallOfDuty2_keygen.exe” or downloaded an EXE from the Internets to fix a “ntoskrnl.exe is missing” issue or the CEO clicked at an “Enlarge your Penis” spam e-mail link (spear-phishing?) and got a nasty ransomware that encrypted all SMB folders. Not to mention that some of its domains are blacklisted in spamhaus EDROP.

One day she wakes up feeling utterly neglected. She slept with the lights on, waiting for a call from him. Her mouth has that sour wakeup-taste and she is out of coffee too. Life sucked bad, but not that bad until the phone rang. She got a call from the office (she is a manager – remember! She is never at her office when she is needed) about the situation. There is another Security Company promising to “fix things“. She has to arrange a Business Meeting with her boyfriend to end the collaboration. She was also feeling like breaking-up… Perfect match.

(She knows she won’t miss his sleepovers. Not one bit)


The Good Guy

Oh, that new guy! He is an IT Manager in the Security Company hired to fix everything. And, good lord, he really did!

He works at the R & D department and he is every woman’s dream. He is always like “C’mon babe, let’s try something new” and she is like “That’s the first day of the rest of my life“. We could really say he patched her systems up!

He gets distant sometimes (when he stares at packets or debuggers all day without any outcome), but then he rises up again, better than before, ready for more winter roadtrips, drive-by cinema nights, coffee, cigarettes and breakfast-at-bed Day-Off mornings, or ice-cream afternoons!



It’s once more the who will get the girl problem. And I mean who will really get her. And it’s all about motivation. Greyhats may be “unethical” sometimes (again, it depends heavily on the context) but their heads are pure R&D labs. They lead the way, with the rest of InfoSec community chasing them (DefCon is the bright example where people with questionable ethics spill knowledge freely in every direction)…

And as long as companies rely only to compliance (with that meaning standard procedures, no research) for their income, they refuse to take part in the chase.

And real hackers will continue to really get the girls.



2 thoughts on “How compliance kills Security (and Romance)…

  1. I can’t even remember what shit I was googleing to get here… this is actually pretty funny in a post-William-Gibson kind of way. I have these nightmares and I can’t sleep anymore… I keep dreaming that I am in 2017, the far-freakin’ future – like “Blade Runner” time, and all this really critical shit is due right now!, and I have this whole series of stuff that has to be done right now, and I am in the middle of this gawd-awful Matrix-like dream with people getting killed, cities nuked, etc. etc, and – yeah, it’s this far future thing, but really, I just need to wake up, and go meet some friends and drink some good booze and eat a nice dinner at Ruth’s Chris, and – yatta/yatta- right?

    THis is the dream – and of course, I finally wake up – and think, “Oh fuck, I am glad that horrorshow is over….” and then – I look around at this shit in my bedroom – an iPad and a bunch of vacuum tube shit and a giant (circa 2005 – really old) plasma screen, and more weird shit that takes my sleepy-wrecked brain time to recognize – and I realize with this awful pit-of-fear feeling that this *actually IS 2017,and I am really here, and most people I know are now fucking dead, and my synth reality is somehow hard-coded back in the late 1980’s, and I keep flashing back to that time like Billy Pilgram in that crazy Vonnagut novel that got made into that flick called “Slaugherhouse Five”, IIRC… I seem to be drifting in fucking time…

    GOtta tell you, it is not nice. So I stay awake and dick around on the internet with my fast wimax link and run into actually quite clever blogs like this.

    Security is just fucking hilarious now – unless you are Edvard Snow Den, right? (And I am trying to think of some stupid clever caption to put on a profile picture so I can msg-chat with some tart on the other side of the planet on this meet-tarts site. WTF am I even doing?).. I have all the issues this guy talks about, except I am becoming the fucking Finn (this loser techo-recluse in a William Gibson story..) Not a path I want to track. I run a Linux gateway box, with SELinux enabled, SSL access (no root login of course), and I get – like every fifteen fucking minutes – all this dickheads trying to break in – and for fun, I honeypot the thing, and track down all their IPs and address – they are CHina, Romania, Russia, and Slovenia (fuck, there must be city in one of those euro-crap countries where every cunt is running (or trying to run) some dark-web scam. Fuck scammers. I would love to see the end of them. How cum good takedowns never gets live streamed on Facebook? ( I actually hate Facebook. And I use it for fuck sakes…. ) There is this Czech film where this teacher quits his job (ie. gets fired), and takes a job at a bottle-return booth in a store – and he discovers what made the weird pattern on the wall. (Hint, the previous employee would silently bang his head on the wall, with his fists resting on the wall also) Can’t remember this film’s name – but this guy’s daughter has been dumped by her doctor boy-friend, who has taken up with a nympho who needs constant fucking to stay on-trim, or something… and of course, rather than being the indignant father, our protagonist really wants to know the details about the sex-with-nympho thing, ala Nabakov, I guess… I like Czech films. Actually, I like most things Czech, curiously. Never been there, but they tell me it’s nice…)

    This blog here is actually a good funny story. Well written. I liked the part about having chilli dogs, and silently farting in her bed. Damn, I am pretty sure I have done exactly that… Are we all running the same program now?? Or have we always been bad dogs, and now, we just write more about it? I have this king-sized bed, and it gets covered with dogs when I sleep. They fart even more than I do.

    And I keep having this stupid nightmare about being in 2017 – the far future where all this shit is supposed to be actually able to now happen – except it is a broken, crappy, crowded nasty evil-place, like “Stand On Zanzibar”, which was written in fucking 1969, or something like that. That was before my time. But I read Stand on Zanzibar in the mid 1980’s or something, when I had this vida loca stuff happening. Selective memory, I guess. LIke, I am sick, hungover, flu-ridden, running a fever, and this absolutely hot fine girl who I had been chatting with a few times (but assumed she was fully phase-locked on her out-of-town BF, knocks on my door – and want’s to come visit. Before this turns in to my version of “Secret Histories”, I need to stop. I had shit like this happen a lot, and it was just beyond belief… We called it “Feinstien’s Lemma” – (after the mythical Dr. Ludic Feinstien, Prof. of Advanced Probability Calculus), who said simply: “It is like this. It is random. Actually, it is worse than random. If you are going to get lucky, you will get lucky. And if you are NOT going to get lucky, you will NOT get lucky. If it is NOT going to happen, then NOTHING can make it happen. But if you ARE going to get lucky, then it WILL happen, and nothing can stop it. You can be sitting at home, drunk, sick and smelly, and a beautiful woman will bang on your door, and demand to be let in to fuck you RIGHT NOW. But the flip side is, you can do every clever thing correctly and fine, and still get shot down in cruel flames, regardless of your own actions, or the skill of your wingman…” And so on … The wild ludic weirdness of life was both fun and horrific during those crazy years. The city was tight and controlled in most places, and wild randomness rarely threw you a black swan that was positive.

    But shit, we could go out and and order a fucking six-pack at the beer store, and get the “road-option” (a supplied bottle opener), and we could just cruise the dirt-roads in the nearby country, gravel flying, only mildly pissed. Ton-o-fun. Fuck, if kids did that today, they would get flung in the slammer, and their car would be impounded. Where the fuck do people go to get away from the town-shit,and breathe free for a few minutes? Fucking orbit?? Who the hell can afford that?

    Musk is gonna fly two dudes with megabucks around Luna next year. Great. Great for them, but that is just about it. I read a news clip about this guy who bought a clock in Brazil that was setup to look like several sticks of dynamite taped together, with a detonator and a bunch of curly wires. The whole thing was a gag-clock, with a big liquid-crystal digital display. So of course, the dickwads that snoop in every bag at the airport (don’t know if this was my idiot country, or my neighbour’s idiot cuntry – fuck-oh-fuck, but I hate nation-states – jesus, I guess I am just old-school now…) Anyway, this poor bastard – who has this gag-clock in his checked luggage, gets the full third-degree at his fucking arrival destination, and gets FUCKING ARRESTED! Just for carrying something that LOOKS ON THE XRAY DEVICE like a bomb. IT WAS NOT IN ANY WAY DANGEROUS – it was an instantiated article of manufactured humor – a gag-gift, not in any way real. I can see the peckerwoods at the airport getting pissed off about this -but when the fuck did it become illegal just to have something – concealed in your own luggage – that just looked goofy? That is crazy.

    And that seems to be a metaphor for what is happening. Ever read the real “Do Androids Dream of Electric Sheep”? (the novel “Blade Runner” was taken from.) Remember how it ends? What happens when everyone turns rogue? I thought there might be some shit in the future that might be sort of fun, or something. Nah, not really. From what I see of the future now, it actually seems to pretty much suck, and fuck it, I am not a negative person. I’m like the folks at the end of the “Life of Brian” – you know “Always Look on the Bright Side of Life!” – but I can tell you – it’s getting a bit more difficult to do this nowadays. And what good is having high-security, if there is nothing cool, wild, dangerous and almost-illegal, that you need to hide?

    Perhaps we really are due for a third world war, or maybe the zombie apocalypse? Or will it be more like the “Omega Man”? (God, if only!) Gimme the Omega Man scenario over the “Hunger Games” any day. Probably “Army of the Twelve Monkeys” is the best bet: over-the-top viral plague, combined with some kind of cascade-failure of multiple life-critical technological econsystems. Take us back to iron-age cultural paradigms in one generation. Remind be to buy more ammo… ;D (“Buy it Cheap/Stack it Deep!”)

    Ok, now I gotta take some drugs an go to sleep. Tomorrow, maybe I can get back to the TensorFlow stuff, and the Xerion hack.

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s