Definitely, but the issue is that even the security companies that actually do the assesments also seem to be heavily transitioning towards AI.

To be fair, in some cases, ML is actually really good (i.e in EDRs. Bypassing a ML-trained EDR is really annoying, since you can’t easily see what was it that triggered the detection, and that’s good), and that will carry most of the prevention and compensate for the vulnerable and buggy software. A good EDR and WAF can stop a lot. That is, assuming you can afford such an EDR, AV won’t do shit - but unless we get another Wannacry, no-one cares that a few dozen of people got hacked through random game/app, “it’s probably their fault for installing random crap anyway”.

I’ve also already seen a lot of people either writing reports with, or building whole tools that run “agentic penetration tests”. So, instead of a Nessus scan, or an actual Red Teamer building a scenario themselves, you get a LLM to write and decide a random course of action, and they just trust the results.

Most of the cybersecurity SaaS corporates didn’t care about the quality of the work before, just like the companies that are actually getting the services didn’t care (but had to check a checkbox). There’s not really an incentive for them to do so, worst case you get into a finger-pointing scenario (“We did have it pentested” -> “But our contract says that we can’t 100% find everything, and this wasn’t found because XYZ… Here’s a report with our methodology that we did everything right”), or the modern equivalent of “It was the AI’s fault”, maybe get a slap on the wrist, but I think that it will not get more important, but way, way more depressing than it already was three years ago.

I’d estimate it will take around a decade of unusable software and dozens of extremely major security breaches before any of the large corporations (on any side) concedes that AI was really, really stupid idea. And at that time they’ll probably also realize that they can just get away with buggy vulnerable software and not care, since breaches will be pretty common place, and probably won’t affect larger companies with good (and expensive) frontline mitigation tools.

I have worked as a pentester and eventually a Red Team lead before leaving foe gamedev, and oh god this is so horrifiying to read.

The state of the industry was alredy extremely depressing, which is why I left. Even without all of this AI craze, the fact that I was able to get from a junior to Red Team Lead, in a corporation with hundreds of employees, in a span of 4 years is already fucked up, solely because Red Teaming was starting to be a buzz word, and I had passion for the field and for Shadowrun while also being good at presentations that customers liked.

When I got into the team, the “inhouse custom malware” was a web server with a script that pools it for commands to run with cmd.exe. It had a pretty involved custom obfuscation, but it took me lile two engagements and the guy responsible for it to leave before I even (during my own research) found out that WinAPI is a thing, and that you actually should run stuff from memory and why. And I was just a junior at the time, and this “revelation” got me eventually a unofficial RT Lead position, with 2 MDs per month for learning and internal development, rest had to be on engagements.

And even then, we were able to do kind of OK in engagements, because the customers didn’t know and also didn’t care. I was always able to come up with “lessons learned”, and we always found out some glaring sec policy issues, even with limited tools, but the thing is - they still did not care. We reported something, and two years ago they still had the same bruteforcable kerberos tickets. It already felt like the industry is just a scam done for appearances, and if it’s now just AIs talking to the AIs then, well, I don’t think much would change.

But it sucks. I love offensive security, it was really interresting few years of my carreer, but ot was so sad to do, if you wanted to do it well :(

I also highly recommend looking into https://www.winboat.app/

It might be a pain to setup on Bazzite (it’s probably better to just use ostree-rpm for the prerequisities), but it’s exactly the same kind of magic, but for Windows apps!

How does IronFox compare to LibreWolf?

Am dumb, missed the “for android” part.

I’ve switched to vim on a whim few months ago, and it still is a pretty fun and satisfying experience. I couldn’t get LazyVim to properly work on our Unity project, since the LSP can’t handle the hundreds of projects it generates, but IdeaVim in Rider works pretty much the same, as far as the movements are considered.

However, the important thing is that I said fun and satisfying, not faster and efficient. I still make mistakes, I have to look into a keybind reference sheet every time I want to do something I’m sure has to have a special keybind but I’ve forgotten which one it is, but once you do that it feels good.

Slowly but surely learning new stuff, getting the hang of some motions you use often, not having to reach for your mouse, all of that feels good. It’s still no way near the speed or efficiency of me just clicking the damn mouse, instead of fumbling around with VIM modes, undoing random actions because I missed one important key and now half of my text is gone, or just remembering that your clipboards get overridden by almost any action unless you do it differently.

So, if you want to get efficient and quicker in your programming, I highly recommend checking the keybind section of your IDE, and learning the few important keybinds it has, such as jump to next function/next parameter, search symbols, and the like. That will make you more efficient.

If, on the other hand, you want your editing to be a skill you can slowly continue mastering, eventually (after years of use) min-maxing, but always having some cool new things to learn that will feel good, them vim is pretty nice for that.

Just don’t expect it will make you faster or more efficient.

I use Pixel with GrapheneOS as my phone, and I just have a separate profile that only has WhatsApp installed and nothing else. Since the profiles are completely separated, it doesn’t have access to anything else I do on the phone and it’s not running in the background (the profiles are basically sandboxed fresh slates, and switching it can be set-up to behave in a same way as basically turning off the phone as far as the profile is concerned).

When the bridge asks me to log in again or refresh a session, I simply switch to the second profile for a minute and re-log in. I’ve heard iIt might be possible to set up an emulator and leave it running on the server, but that felt like too much effort.

Yeah, that’s my experience as well. In addition to being lazy with updating, so if some kind of supply chain attack happens, I usually sorts itself out before I get to updating :D

But I did limit my browser extensions, after I a cause with Nano Defender taught me a lesson - it was a mildly popular anit-anti-adblock killer that worked where other adblocks were detected, but the developer sold the extension to a company that turned it into a info-stealer malware and pushed an update through chrome store, which got accepted and propagated, and some of my social network sessions got compromised. So, I just stick to more popular projects where something like this shouldn’t happen, and don’t use random extensions.

Yeah, that part about WhatsApp is annoying. I just have a spearate profile on Graphene that has only WhatsApp installed, and whenever it wants me to refresh a session I just switch to the profile and log in.

There is, but it requires you to log into the app every two weeks to maintain a session. You can setup a emulator to do it for you. I just have a separate profile on my Graphene with Only WhatsApp that I switch to and login whenever I get a warning.

I’ve been using it for almost a year by now, and so far I didn’t have any problems. I’ve not considered that problem though, so it might be happening and I was just lucky.

WhenI was setting it up, it took me only like two hours tops. The ansible project is well documented, has a clear setup guide, and the process is really just getting server with ssh access, changing DNS, changing around 5 values in the ansible config and running it.

As far as I know the Discord bridge has some limitations, the major one being that IIRC it doesn’t atually support calls. But just for chatting across servers it has worked well for me.

There’s also the fact that you have to either trust the project with your password (as in, the the bridfe adds a matrix bot that runs on your server, but needs your pssword), since I think it uses the web version in the background (but then you can also use it for DMs and any server), or set up a bot on the discord server you want to bridge, which obviously cant be done if you’re not an admin. It’s a foss project, but there’s always a small risk of it gping rogue.

https://github.com/spantaleev/matrix-docker-ansible-deploy

Its pretty well documented and easy to follow, it took me only like an hour to setup.

I’m hodsting my own Matrix server with WhatsApp, Telegram, Discord (you don’t need a bot for that, you can just share your login with the bridge) and Messenger bridge. I have all my IMs in one app, don’t have to install spyware on my phone, and I can make bots that troll annoying people that message me on any platform.

Hosting it was super simple, thanks to the Ansible project that’s extremely robust and well done, I literally just got a hosting, domain amd changed like 5 config values to enable the bridges I wanted, gave it an IP and ssh key, and ran it. And if I need to update, I literally “just update” (it’s all wrapped up into “just” tool), and it eve handles cases where I didn’t update for a while, failing graciously and telling me what I need to do maually, usually just rename some config values.

I wholly recommend it. You probably wont convince your friends to switch from <insert app here>, and this is the best compromise.

I’m using a small instance on Hetzner, for 6$ a month. You could in theory get a free oracle cloud instance for it, but I didn’t manage to get one.

And you can easily share it with anyone interrested, make them an account, so they can also consolidate their DMs. I’m sharing it with a few friends and colleagues.

I tried it like a year ago, maybe more, and it wasn’t ready for that. The battery life was awfull (which was a SW issue of the OS not being able to stand-by properly), and accepting calls wasn’t really reliable. It’s more of a gimmick and great as a side-phone, but I wouldn’t use it as a daily driver.

But the situation might’ve changed.

I can do that and more on my Pinephone running Kali Nethunter. While it’s mostly a gimmick with awfull battery life, I’ve already used it a few times mostly in regards to wifi pentesting for my cyber-sec job, i.e when going to lunch onsite and you notice a new wifi AP you didn’t see when inside the office you’re working on.

And since it has an USB-C, I can simply plug in a dock with two USB-As, Ethernet, PD and HDMI, to turn it into a full-fledged Kali desktop.

Yeah, I know and that’s what I’m afraid of. I guess I’ll just have to come to terms with most websites not working in some obscure web browser that’s not feature-complete. Would actually help with my addiction, so it won’t be so bad, I guess.

You are right, it was unfairly harsh wording, I apologize for that. Most of those products are super cool and important, I’ve kind of extrapolated it from what I’ve read in other posts about them spending too much on stuff like events and other, non-developemnt, related stuff that I actually never checked, while also not realizing that they also have a ton of other projects, which mixed with the dissapointment with the recent development about the Meta partnership led to me choosing that wording unfairly.

If it keeps going on like this, it won’t be long before I’ll just say fuck it and switch to elinks…

Hmm, on that note - is there any CLI web browser that can do javascript and css? Because iirc, elinks doesn’t, though I havent used it in years.

IIRC, only like 2% of Mozilla spending goes towards FF (I may be misinterpreting something, but I remember 2% being thrown around), so funding FF without rest of Mozilla bullshit shouldn’t be that hard. Of course, since Mozilla did spend so little on FF, it’s a question how much they actually care about FF and what would happen if they lost access to their golden goose. They shouldn’t have problem funding FF, but they probably have other bullshit they don’t want to let go and that has more priority for them.