Doing some Christmas shopping.

Creating some throwaway accounts in various e-shops

Some e-shops send me my password via email upon registration.

I've spent the better half of a day emailing those e-shops to revise their IT security policies.

Haven't bought a single gift yet.

Time well spent!

That log4j RCE is some fucking nasty business!!! Its exploits have already been observed multiple times in our company scope.

Time for some unplanned Saturday evening hot-patches :/

P.S. Why the fuck leave such a feature enabled as default??? I mean really, whose brilliant idea was "let's leave the message parser enabled as well as the LDAP query hooks... BY FUCKING DEFAULT!!!"

I mean really, is anyone using that? ANYONE?

And then they laugh at me when I say "stay away from frameworks", "use as little libraries as possible", "avoid foreign code in your codebase",...

you know what.... JOKE'S ON YOU!

Thoughts after a security conference.

The private sector, no matter the size, often plays a role (e.g. entry vector, DDoS load generating botnet, etc.) in massive, sometimes country-wide attacks. Shouldn't that make private businesses' CyberSec a matter of national security? Shouldn't the government create and enforce a security framework for private businesses to implement in their IT systems? IMO that'd also enforce standardised data security and force all the companies treat ITSec with at least minimal care (where "minimal" is set by the gov)

What are your thoughts?