https://blog.d3soteric.com/posts/Recent content in Posts on d3sotericHugoen-usSat, 23 May 2026 12:36:00 +0000https://blog.d3soteric.com/vibe-coding-easy-path/Sat, 23 May 2026 12:36:00 +0000https://blog.d3soteric.com/vibe-coding-easy-path/Recently in a security governance meeting I was leading, I learned of a new vibe-coded app created to simplify database monitoring and other simple tasks.  What really stood out to me from a risk perspective was the included authentication service.  It was not connected to the enterprise identity system, so some additional risk was being incurred from creating and managing separate identities.  This was not the pieces that brought the request to the governance committee for review though, it was to open some of the network rules to make the app more easily available to the workforce.https://blog.d3soteric.com/security-humor-volume-1-2/Sat, 03 Aug 2024 08:13:53 +0000https://blog.d3soteric.com/security-humor-volume-1-2/Just as IT organizations around the world began to believe in life after critical-path-security-product-outages, to loosely quote Cher, the satirical security intern appears againIntern-al Monologue: This time will be different! I'm going to start out making a difference in my new career at the certificate authority. I'll make my career on my latest finding. First day after transitioning from my last job on account of that little global outage and wow, a brand new totally crazy flaw for me to report!https://blog.d3soteric.com/bug-nonties-vol-2/Sat, 03 Feb 2024 13:26:00 +0000https://blog.d3soteric.com/bug-nonties-vol-2/This is a series on practicing skills used to hunt for bugs, make the world a better place, and earn some coin. This series is by many accounts, a list of failures...since none of the things I write about were considered vulnerabilities or valid for fix. I did however gain some good-old lessons in how things work, and hopefully these lessons help expand your secure horizons as well, read on!Microsoft Teams Unauthorized Dial-out Disclosure Vulnerability IntroductionIt goes without saying, remote meetings are pretty popular via enabling tools like Microsoft Teams.https://blog.d3soteric.com/nonbug-nonbounties/Tue, 09 Jan 2024 14:30:48 +0000https://blog.d3soteric.com/nonbug-nonbounties/AWS Security Groups This is a series on practicing skills used to hunt for bugs, make the world a better place, and earn some coin. This series is by many accounts, a list of failures...since none of the things I write about were considered vulnerabilities or valid for fix. I did however gain some good-old lessons in how things work, and hopefully these lessons help expand your secure horizons as well, read on!https://blog.d3soteric.com/deciding-when-to-click-a-link/Thu, 15 Sep 2022 04:25:51 +0000https://blog.d3soteric.com/deciding-when-to-click-a-link/I have encountered a lot of questions by customers lately around the effectiveness of tagging external emails. All the questions and pushback on these programs have made me introspective. I never personally felt much passion about email tagging before, it has always struck me as metadata, something out of the way, part ineffective and part annoying in format for power users, but overall a security nice-to-have. What was surprising to me is how much friction these tags can cause to those who do not understand the "https://blog.d3soteric.com/how-urgent-is-urgent-log4j-2-15-0-and-cve/Fri, 24 Dec 2021 08:24:23 +0000https://blog.d3soteric.com/how-urgent-is-urgent-log4j-2-15-0-and-cve/It's true, it is urgent, and if you already upgraded to 2.15.0, or the Java 7 equivalent, getting to 2.16.0 or higher should not be prohibitive! But, if working in security has taught me one thing, it is to take nothing for granted. Maybe the entire dev team is gone for the holiday or maybe it is something else entirely that simply makes the organization uneasy about getting to 2.16.0 as fast as the criticality score alone justifies.https://blog.d3soteric.com/building-an-altimeter/Fri, 22 Oct 2021 05:24:56 +0000https://blog.d3soteric.com/building-an-altimeter/Learning new things regularly is important. I make it a habit to find new things to learn even when they do not have a direct focus on information security. Projects like this give me a chance to draw upon a more broad set of experiences in the work I do, and are extremely satisfying when done, enjoy! Figure 1: The functioning altimeterxWhat You'll Be DoingSolder components to the included circuit board.https://blog.d3soteric.com/disabling-amazon-sidewalk-within-the-ring-app-for-ios/Wed, 02 Jun 2021 04:55:38 +0000https://blog.d3soteric.com/disabling-amazon-sidewalk-within-the-ring-app-for-ios/As reported by Wired and other outlets, on June 8th, 2021 many Alexa-enabled devices such as select Ring cameras and smart devices will automatically create a shared network across the United States for authorized devices by carving out a little bandwidth from their host networks. The only way to prevent your devices from participating is to opt out. Maybe you are not interested in sharing even a small amount of bandwidth with other devices, perhaps you are wary the types of security issues which may come along with new communication protocols, or maybe the opt-out model does not sit well with you.https://blog.d3soteric.com/overcoming-imposter-syndrome/Tue, 11 May 2021 05:58:29 +0000https://blog.d3soteric.com/overcoming-imposter-syndrome/I have had many rewarding conversations with information security professionals on defining value and finding their niche at various points of our careers. What has been interesting to me is how sometimes even those who consistently bring value to the team can feel like they don't belong. Maybe these conversations start because much to do with information security can land on the thankless end of the spectrum. Not to mention how in some organizational cultures, information security combats an image of saying "https://blog.d3soteric.com/how-pen-testing-saved-my-life/Tue, 27 Apr 2021 05:38:18 +0000https://blog.d3soteric.com/how-pen-testing-saved-my-life/Alright, thats a pretty dramatic title! Here's how my background in penetration testing helped to keep me safe during an amateur project I took on recently My Trusty MultimeterIt was time to replace an in-sink disposal but while getting into the project I noticed that there had been some damage to the outlet. Being tucked out of sight under the kitchen sink, I wasn't sure how long the issue had been there for, but now that I knew about it I wanted to get it taken care of.https://blog.d3soteric.com/building-allies-for-information-security/Thu, 15 Oct 2020 04:18:00 +0000https://blog.d3soteric.com/building-allies-for-information-security/I was approached by a coworker I didn’t know very well yet the other day with a simple question, “what antivirus do you use?” You probably sense it too: there has to be more to this question! I asked if there were specific concerns they had regarding AV? They let me know that they clicked something suspicious —We were making progress! They were worried they did something wrong, so ran 3 separate AV scans.